LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 12-17-2012, 08:06 AM   #1
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
TCP FIN Scan and LAND question


On a regular basis, I find the below in my router's logs.
Code:
12/16/2012  21:30:56 **LAND** wan_address, 53739->> wan_address, 80 (from PPPoE1 Inbound)
12/16/2012  21:30:54 **LAND** wan_address, 53740->> wan_address, 80 (from PPPoE1 Inbound)
12/16/2012  21:30:53 **LAND** wan_address, 53739->> wan_address, 80 (from PPPoE1 Inbound)
...
...
12/16/2012  19:38:55 **TCP FIN Scan** 192.168.2.222, 49690->> 41.73.43.137, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:54 **TCP FIN Scan** 192.168.2.222, 40445->> 114.141.196.42, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:53 **TCP FIN Scan** 192.168.2.222, 49667->> 41.73.43.137, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:53 **TCP FIN Scan** 192.168.2.222, 56685->> 208.31.170.48, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:53 **TCP FIN Scan** 192.168.2.222, 34752->> 208.31.170.32, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:52 **TCP FIN Scan** 192.168.2.222, 35992->> 23.63.98.153, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:52 **TCP FIN Scan** 192.168.2.222, 47868->> 196.26.223.11, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:52 **TCP FIN Scan** 192.168.2.222, 48312->> 208.31.170.57, 80 (from PPPoE1 Outbound)
12/16/2012  19:38:52 **TCP FIN Scan** 192.168.2.222, 49680->> 41.73.43.137, 80 (from PPPoE1 Outbound)
I have an iburst modem connected to a router; 192.168.2.222 is the (static) ip address of my desktop machine, connect via cable to the router.

What wories me mostly are the 'fin scan' messages as they originate from my desktop if I understand the messages correctly.

The desktop runs Ubuntu 12.04, (usually) up-to-date and iptables configured with ufw (output of iptables -n -L attached).

Any advise if I have to be worried is appreciated. And if it indeed comes from my desktop, how to approach and solve the problem.

Thanks in advance.
Attached Files
File Type: txt iptables.txt (8.3 KB, 9 views)
 
Old 12-17-2012, 11:15 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,693
Blog Entries: 54

Rep: Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961
A LAND attack sets the source and destination address and port to the same. Might be the device doing NAT has trouble detecting what's legitimate traffic and what not. Same for your "FIN Scan" alert, TCP stream analysis with Wireshark should prove it to be a router detection error. Personally I'd always disable any scan detection or packet inspection on routers with low specs, favoring user land tools instead for accuracy and performance reasons.
 
Old 12-17-2012, 12:56 PM   #3
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Thanks; I will run wireshark and get probably back in a couple of days.
 
Old 12-20-2012, 01:12 PM   #4
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
'tcp fin scan' originates from my machine by the looks of it; I found the following in the router log

Code:
12/20/2012  09:05:32 **TCP FIN Scan** 1.2.3.4, 3128->> 41.213.47.75, 49221 (from PPPoE1 Inbound)
12/20/2012  09:05:29 **TCP FIN Scan** 192.168.2.222, 58621->> 173.201.98.128, 80 (from PPPoE1 Outbound)
12/20/2012  09:05:29 **TCP FIN Scan** 192.168.2.222, 52354->> 88.221.243.51, 80 (from PPPoE1 Outbound)
12/20/2012  09:05:28 **TCP FIN Scan** 192.168.2.222, 54687->> 50.112.101.148, 80 (from PPPoE1 Outbound)
12/20/2012  09:05:27 **TCP FIN Scan** 192.168.2.222, 52350->> 88.221.243.51, 80 (from PPPoE1 Outbound)
12/20/2012  09:05:27 **TCP FIN Scan** 192.168.2.222, 49223->> 197.84.130.34, 80 (from PPPoE1 Outbound)
I also 'caught' it in wireshark; I've set a display filter ip.addr=197.84.130.34 for the attached log. The other ip-addresses above show similar data. The most relevant data (as far as I can see).
Code:
   3112 653.464793  192.168.2.222         197.84.130.34         TCP      54     49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
   3113 653.464811  192.168.2.222         197.84.130.34         TCP      54     49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
   3114 653.464829  192.168.2.222         197.84.130.34         TCP      54     49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
   3115 653.464848  192.168.2.222         197.84.130.34         TCP      54     49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
   3116 653.464865  192.168.2.222         197.84.130.34         TCP      54     49219 > http [FIN, ACK] Seq=3260 Ack=26373 Win=42240 Len=0
   3117 653.780000  192.168.2.222         197.84.130.34         TCP      54     49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
   3119 653.835989  192.168.2.222         197.84.130.34         TCP      54     49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
   3123 653.887984  192.168.2.222         197.84.130.34         TCP      54     49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
   3124 653.907988  192.168.2.222         197.84.130.34         TCP      54     49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
   3129 654.411988  192.168.2.222         197.84.130.34         TCP      54     49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
   3132 654.463114  192.168.2.222         197.84.130.34         TCP      54     49221 > http [FIN, ACK] Seq=2768 Ack=12599 Win=42240 Len=0
   3133 654.579986  192.168.2.222         197.84.130.34         TCP      54     49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
   3137 654.735989  192.168.2.222         197.84.130.34         TCP      54     49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
   3138 654.795995  192.168.2.222         197.84.130.34         TCP      54     49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
   3139 654.819988  192.168.2.222         197.84.130.34         TCP      54     49219 > http [FIN, ACK] Seq=3260 Ack=26373 Win=42240 Len=0
   3145 655.679991  192.168.2.222         197.84.130.34         TCP      54     49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
   3147 656.071995  192.168.2.222         197.84.130.34         TCP      54     49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
   3150 656.343988  192.168.2.222         197.84.130.34         TCP      54     49221 > http [FIN, ACK] Seq=2768 Ack=12599 Win=42240 Len=0
   3152 656.435991  192.168.2.222         197.84.130.34         TCP      54     49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
   3153 656.575991  192.168.2.222         197.84.130.34         TCP      54     49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
   3162 658.215990  192.168.2.222         197.84.130.34         TCP      54     49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
   3164 659.056004  192.168.2.222         197.84.130.34         TCP      54     49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
   3173 659.840003  192.168.2.222         197.84.130.34         TCP      54     49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
   3179 660.135990  192.168.2.222         197.84.130.34         TCP      54     49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
   3299 663.279999  192.168.2.222         197.84.130.34         TCP      54     49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
   3418 665.023988  192.168.2.222         197.84.130.34         TCP      54     49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
   3532 666.639995  192.168.2.222         197.84.130.34         TCP      54     49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
   3535 667.263987  192.168.2.222         197.84.130.34         TCP      54     49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
   3543 673.408004  192.168.2.222         197.84.130.34         TCP      54     49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
   3544 676.960004  192.168.2.222         197.84.130.34         TCP      54     49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
   3553 680.224013  192.168.2.222         197.84.130.34         TCP      54     49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
   3555 681.503992  192.168.2.222         197.84.130.34         TCP      54     49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
   3577 693.664003  192.168.2.222         197.84.130.34         TCP      54     49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
   3578 700.832005  192.168.2.222         197.84.130.34         TCP      54     49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
   3589 707.424006  192.168.2.222         197.84.130.34         TCP      54     49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
   3595 709.984005  192.168.2.222         197.84.130.34         TCP      54     49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
   3644 734.240002  192.168.2.222         197.84.130.34         TCP      54     49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
   3652 748.576003  192.168.2.222         197.84.130.34         TCP      54     49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
More extensive logs can be provided if needed.

When I compare this with other wireshark captures that contain http [FIN, ACK], they seem to be acknowledged. Lack of acknowledgement might be the cause of the problem (but my knowledge is too limited to be sure).

So, now I'm curious about the way forward.

PS the scans happen a couple of times aday and only while browsing the web (browser used is firefox 17.0.1)
Attached Files
File Type: txt 20121220.01.finscan.ipaddr197_84_130_34.summary.txt (60.2 KB, 10 views)

Last edited by Wim Sturkenboom; 12-20-2012 at 01:45 PM.
 
Old 12-20-2012, 02:42 PM   #5
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Yes, your computer is communicating with an HTTP server and eventually tries to end the connections gracefully with FINs. However, the server isn't responding to them so your computer continues to resend the FINs until it gives up. It doesn't look like a FIN scan at all to me.
 
Old 12-22-2012, 05:52 AM   #6
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Thanks.

What confuses me is that there seem to be three options
  • the client attempts to gracefully close the connection and it works ([fin, ack] both ways and a terminating [ack])
  • the client attempts to gracefully close the connection and it does not work, resulting in 'tcp fin scan' alerts
  • the client does not try to close the connection (no [fin, ack] at all)

But I'm no longer worried about the 'tcp fin scan' as I now understand what is going on and will mark as solved.

Last edited by Wim Sturkenboom; 12-22-2012 at 05:53 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables and TCP - ACK PSH FIN URGP=0 problem nightg0at Linux - Networking 5 06-26-2011 08:56 PM
psad: scan detected: 127.0.0.1 -> 127.0.0.1 tcp macaal Linux - Security 4 06-17-2011 02:56 PM
Question regarding TCP coding and TCP header in ns2 bsyew Linux - Newbie 0 04-13-2011 01:08 PM
TCP packet flags (SYN, FIN, ACK, etc) and firewall rules TheLinuxDuck Linux - Security 12 04-29-2005 12:30 AM
HELP: stealthing FCP FIN, TCP XMAS, and UDP Cyberian Linux - Software 4 11-29-2004 01:34 AM


All times are GMT -5. The time now is 10:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration