LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   TCP FIN Scan and LAND question (http://www.linuxquestions.org/questions/linux-security-4/tcp-fin-scan-and-land-question-4175441775/)

Wim Sturkenboom 12-17-2012 07:06 AM

TCP FIN Scan and LAND question
 
1 Attachment(s)
On a regular basis, I find the below in my router's logs.
Code:

12/16/2012  21:30:56 **LAND** wan_address, 53739->> wan_address, 80 (from PPPoE1 Inbound)
12/16/2012  21:30:54 **LAND** wan_address, 53740->> wan_address, 80 (from PPPoE1 Inbound)
12/16/2012  21:30:53 **LAND** wan_address, 53739->> wan_address, 80 (from PPPoE1 Inbound)
...
...
12/16/2012  19:38:55 **TCP FIN Scan** 192.168.2.222, 49690->> 41.73.43.137, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:54 **TCP FIN Scan** 192.168.2.222, 40445->> 114.141.196.42, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:53 **TCP FIN Scan** 192.168.2.222, 49667->> 41.73.43.137, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:53 **TCP FIN Scan** 192.168.2.222, 56685->> 208.31.170.48, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:53 **TCP FIN Scan** 192.168.2.222, 34752->> 208.31.170.32, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:52 **TCP FIN Scan** 192.168.2.222, 35992->> 23.63.98.153, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:52 **TCP FIN Scan** 192.168.2.222, 47868->> 196.26.223.11, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:52 **TCP FIN Scan** 192.168.2.222, 48312->> 208.31.170.57, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:52 **TCP FIN Scan** 192.168.2.222, 49680->> 41.73.43.137, 80 (from PPPoE1 Outbound)

I have an iburst modem connected to a router; 192.168.2.222 is the (static) ip address of my desktop machine, connect via cable to the router.

What wories me mostly are the 'fin scan' messages as they originate from my desktop if I understand the messages correctly.

The desktop runs Ubuntu 12.04, (usually) up-to-date and iptables configured with ufw (output of iptables -n -L attached).

Any advise if I have to be worried is appreciated. And if it indeed comes from my desktop, how to approach and solve the problem.

Thanks in advance.

unSpawn 12-17-2012 10:15 AM

A LAND attack sets the source and destination address and port to the same. Might be the device doing NAT has trouble detecting what's legitimate traffic and what not. Same for your "FIN Scan" alert, TCP stream analysis with Wireshark should prove it to be a router detection error. Personally I'd always disable any scan detection or packet inspection on routers with low specs, favoring user land tools instead for accuracy and performance reasons.

Wim Sturkenboom 12-17-2012 11:56 AM

Thanks; I will run wireshark and get probably back in a couple of days.

Wim Sturkenboom 12-20-2012 12:12 PM

1 Attachment(s)
'tcp fin scan' originates from my machine by the looks of it; I found the following in the router log

Code:

12/20/2012  09:05:32 **TCP FIN Scan** 1.2.3.4, 3128->> 41.213.47.75, 49221 (from PPPoE1 Inbound)
12/20/2012  09:05:29 **TCP FIN Scan** 192.168.2.222, 58621->> 173.201.98.128, 80 (from PPPoE1 Outbound)
12/20/2012  09:05:29 **TCP FIN Scan** 192.168.2.222, 52354->> 88.221.243.51, 80 (from PPPoE1 Outbound)
12/20/2012  09:05:28 **TCP FIN Scan** 192.168.2.222, 54687->> 50.112.101.148, 80 (from PPPoE1 Outbound)
12/20/2012  09:05:27 **TCP FIN Scan** 192.168.2.222, 52350->> 88.221.243.51, 80 (from PPPoE1 Outbound)
12/20/2012  09:05:27 **TCP FIN Scan** 192.168.2.222, 49223->> 197.84.130.34, 80 (from PPPoE1 Outbound)

I also 'caught' it in wireshark; I've set a display filter ip.addr=197.84.130.34 for the attached log. The other ip-addresses above show similar data. The most relevant data (as far as I can see).
Code:

  3112 653.464793  192.168.2.222        197.84.130.34        TCP      54    49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
  3113 653.464811  192.168.2.222        197.84.130.34        TCP      54    49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
  3114 653.464829  192.168.2.222        197.84.130.34        TCP      54    49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
  3115 653.464848  192.168.2.222        197.84.130.34        TCP      54    49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
  3116 653.464865  192.168.2.222        197.84.130.34        TCP      54    49219 > http [FIN, ACK] Seq=3260 Ack=26373 Win=42240 Len=0
  3117 653.780000  192.168.2.222        197.84.130.34        TCP      54    49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
  3119 653.835989  192.168.2.222        197.84.130.34        TCP      54    49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
  3123 653.887984  192.168.2.222        197.84.130.34        TCP      54    49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
  3124 653.907988  192.168.2.222        197.84.130.34        TCP      54    49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
  3129 654.411988  192.168.2.222        197.84.130.34        TCP      54    49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
  3132 654.463114  192.168.2.222        197.84.130.34        TCP      54    49221 > http [FIN, ACK] Seq=2768 Ack=12599 Win=42240 Len=0
  3133 654.579986  192.168.2.222        197.84.130.34        TCP      54    49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
  3137 654.735989  192.168.2.222        197.84.130.34        TCP      54    49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
  3138 654.795995  192.168.2.222        197.84.130.34        TCP      54    49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
  3139 654.819988  192.168.2.222        197.84.130.34        TCP      54    49219 > http [FIN, ACK] Seq=3260 Ack=26373 Win=42240 Len=0
  3145 655.679991  192.168.2.222        197.84.130.34        TCP      54    49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
  3147 656.071995  192.168.2.222        197.84.130.34        TCP      54    49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
  3150 656.343988  192.168.2.222        197.84.130.34        TCP      54    49221 > http [FIN, ACK] Seq=2768 Ack=12599 Win=42240 Len=0
  3152 656.435991  192.168.2.222        197.84.130.34        TCP      54    49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
  3153 656.575991  192.168.2.222        197.84.130.34        TCP      54    49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
  3162 658.215990  192.168.2.222        197.84.130.34        TCP      54    49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
  3164 659.056004  192.168.2.222        197.84.130.34        TCP      54    49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
  3173 659.840003  192.168.2.222        197.84.130.34        TCP      54    49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
  3179 660.135990  192.168.2.222        197.84.130.34        TCP      54    49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
  3299 663.279999  192.168.2.222        197.84.130.34        TCP      54    49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
  3418 665.023988  192.168.2.222        197.84.130.34        TCP      54    49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
  3532 666.639995  192.168.2.222        197.84.130.34        TCP      54    49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
  3535 667.263987  192.168.2.222        197.84.130.34        TCP      54    49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
  3543 673.408004  192.168.2.222        197.84.130.34        TCP      54    49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
  3544 676.960004  192.168.2.222        197.84.130.34        TCP      54    49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
  3553 680.224013  192.168.2.222        197.84.130.34        TCP      54    49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
  3555 681.503992  192.168.2.222        197.84.130.34        TCP      54    49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
  3577 693.664003  192.168.2.222        197.84.130.34        TCP      54    49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
  3578 700.832005  192.168.2.222        197.84.130.34        TCP      54    49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
  3589 707.424006  192.168.2.222        197.84.130.34        TCP      54    49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
  3595 709.984005  192.168.2.222        197.84.130.34        TCP      54    49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
  3644 734.240002  192.168.2.222        197.84.130.34        TCP      54    49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
  3652 748.576003  192.168.2.222        197.84.130.34        TCP      54    49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0

More extensive logs can be provided if needed.

When I compare this with other wireshark captures that contain http [FIN, ACK], they seem to be acknowledged. Lack of acknowledgement might be the cause of the problem (but my knowledge is too limited to be sure).

So, now I'm curious about the way forward.

PS the scans happen a couple of times aday and only while browsing the web (browser used is firefox 17.0.1)

OlRoy 12-20-2012 01:42 PM

Yes, your computer is communicating with an HTTP server and eventually tries to end the connections gracefully with FINs. However, the server isn't responding to them so your computer continues to resend the FINs until it gives up. It doesn't look like a FIN scan at all to me.

Wim Sturkenboom 12-22-2012 04:52 AM

Thanks.

What confuses me is that there seem to be three options
  • the client attempts to gracefully close the connection and it works ([fin, ack] both ways and a terminating [ack])
  • the client attempts to gracefully close the connection and it does not work, resulting in 'tcp fin scan' alerts
  • the client does not try to close the connection (no [fin, ack] at all)

But I'm no longer worried about the 'tcp fin scan' as I now understand what is going on and will mark as solved.


All times are GMT -5. The time now is 11:32 AM.