Hello Daniel, As far as I understand well, an INVALID state is applied on packet that shouldn't exist according to the conntrack engine.
Null scan packets should look like --tcp-flags ALL NONE. Your rule will match with packets that are invalid AND that are not full flag, which seem to me almost all invalid packets ! My advice is that you should consider 3 rules : One that drop every INVALID packets (... -m conntrack --ctstate INVALID ... -j DROP) One that log every NULL SCAN (...--tcp-flags ALL NONE ... -j LOG --log-prefix "NULL Scan ") One that drop every NULL SCAN (...--tcp-flags ALL NONE ... -j DROP) I hope that this will help you. OB De : Daniel Curtis [mailto:sidetripp...@gmail.com] Envoyé : mardi 5 février 2013 18:52 À : debian-security@lists.debian.org Objet : NULL Scan issues or something else? Hi I've added a rule to my iptables script, which is responsible for filtering --tcp-flags and INVALID state. After addition of this rule, I've noticed , that many IP addresses are trying to scan(?) my computer, but it is not so obvious, because, for me, from iptables rule point of view, NULL Scan is something different (see below). This rule looks this way and is related to the incoming connections: ... -m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST, ACK,FIN, PSH,URG, SYN,RST,ACK, FIN,PSH,URG -j DROP Also, I've added the ability to log this rule with -j LOG --log-prefix "NULL Scan ". But something is not as it should be. As we know an attacker uses a TCP NULL Scan to determine if ports are closed on the target machine by sending a TCP segments with no flag in the packet header, right? So, I wonder if the above rule is okay, because if NULL Scan does not use flags, iptables rule should/could look this way: --tcp-flags ALL NONE instead of all these flags mentioned above. So, for what is responsible the above rule? What should I do with this issue? I'm so confused. Maybe it is a normal behavior, because of INVALID option? I would like to get some advice from You. Generally, I would like to get some advices etc. ## Debian version: Wheezy/Sid. ## Example logs entries: kernel: [ 9973.043847] NULL SCAN: IN=eth0 OUT= MAC=mac_addresses_ SRC=82.195.75.100 DST=192.168.10.32 LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=27355 DF PROTO=TCP SPT=80 DPT=41464 WINDOW=6432 RES=0x00 ACK URGP=0 Mostly all of the log entries related to the NULL Scan are the same - the same SPT, TTL and PROTO values. Of course, sometimes IP addresses were changed. Best regards!
