GEN:SID | 1:625 |
Message | SCAN XMAS |
Impact | System recon. Different operating-systems will respond in different ways depending on their particular stack implementation. This allows attackers to determine things such as open/closed ports, ACLs, and the like.
|
Detailed Information | The ACK, FIN, PSH, RST, SYN, and URG control bits were set in a TCP packet.
|
Affected Systems | |
Attack Scenarios | As part of a recon mission that may be an indicator to upcoming attacks, an attacker may attempt to determine what ports are listening on a given machine by sending a TCP packet with all of its control bits "lit up", hence the name XMAS scan -- its "lit up like a christmas tree." __ Ease of Attack: Trivial. Many of the popular portscanners/vulnerability testers, most notably nmap, allow anyone to inititiate an XMAS scan.
|
Ease of Attack | |
Corrective Action | Determine what information an attacker may have gleaned from this attack. Would your ports show as open or closed? Consider implementing a stateful firewall on the victim machine, or at ingress points on your network.
|
Additional References | http://rr.sans.org/firewall/egress.php
|
Rule References | arachnids: 144
|