Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
12-17-2012, 07:06 AM
|
#1
|
|
Senior Member
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,780
|
TCP FIN Scan and LAND question
On a regular basis, I find the below in my router's logs.
Code:
12/16/2012 21:30:56 **LAND** wan_address, 53739->> wan_address, 80 (from PPPoE1 Inbound)
12/16/2012 21:30:54 **LAND** wan_address, 53740->> wan_address, 80 (from PPPoE1 Inbound)
12/16/2012 21:30:53 **LAND** wan_address, 53739->> wan_address, 80 (from PPPoE1 Inbound)
...
...
12/16/2012 19:38:55 **TCP FIN Scan** 192.168.2.222, 49690->> 41.73.43.137, 80 (from PPPoE1 Outbound)
12/16/2012 19:38:54 **TCP FIN Scan** 192.168.2.222, 40445->> 114.141.196.42, 80 (from PPPoE1 Outbound)
12/16/2012 19:38:53 **TCP FIN Scan** 192.168.2.222, 49667->> 41.73.43.137, 80 (from PPPoE1 Outbound)
12/16/2012 19:38:53 **TCP FIN Scan** 192.168.2.222, 56685->> 208.31.170.48, 80 (from PPPoE1 Outbound)
12/16/2012 19:38:53 **TCP FIN Scan** 192.168.2.222, 34752->> 208.31.170.32, 80 (from PPPoE1 Outbound)
12/16/2012 19:38:52 **TCP FIN Scan** 192.168.2.222, 35992->> 23.63.98.153, 80 (from PPPoE1 Outbound)
12/16/2012 19:38:52 **TCP FIN Scan** 192.168.2.222, 47868->> 196.26.223.11, 80 (from PPPoE1 Outbound)
12/16/2012 19:38:52 **TCP FIN Scan** 192.168.2.222, 48312->> 208.31.170.57, 80 (from PPPoE1 Outbound)
12/16/2012 19:38:52 **TCP FIN Scan** 192.168.2.222, 49680->> 41.73.43.137, 80 (from PPPoE1 Outbound)
I have an iburst modem connected to a router; 192.168.2.222 is the (static) ip address of my desktop machine, connect via cable to the router.
What wories me mostly are the 'fin scan' messages as they originate from my desktop if I understand the messages correctly.
The desktop runs Ubuntu 12.04, (usually) up-to-date and iptables configured with ufw (output of iptables -n -L attached).
Any advise if I have to be worried is appreciated. And if it indeed comes from my desktop, how to approach and solve the problem.
Thanks in advance. |
|
|
|
|
12-17-2012, 10:15 AM
|
#2
|
|
Moderator
Registered: May 2001
Posts: 24,779
|
A LAND attack sets the source and destination address and port to the same. Might be the device doing NAT has trouble detecting what's legitimate traffic and what not. Same for your "FIN Scan" alert, TCP stream analysis with Wireshark should prove it to be a router detection error. Personally I'd always disable any scan detection or packet inspection on routers with low specs, favoring user land tools instead for accuracy and performance reasons.
|
|
|
|
|
12-17-2012, 11:56 AM
|
#3
|
|
Senior Member
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,780
Original Poster
|
Thanks; I will run wireshark and get probably back in a couple of days.
|
|
|
|
|
12-20-2012, 12:12 PM
|
#4
|
|
Senior Member
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,780
Original Poster
|
'tcp fin scan' originates from my machine by the looks of it; I found the following in the router log
Code:
12/20/2012 09:05:32 **TCP FIN Scan** 1.2.3.4, 3128->> 41.213.47.75, 49221 (from PPPoE1 Inbound)
12/20/2012 09:05:29 **TCP FIN Scan** 192.168.2.222, 58621->> 173.201.98.128, 80 (from PPPoE1 Outbound)
12/20/2012 09:05:29 **TCP FIN Scan** 192.168.2.222, 52354->> 88.221.243.51, 80 (from PPPoE1 Outbound)
12/20/2012 09:05:28 **TCP FIN Scan** 192.168.2.222, 54687->> 50.112.101.148, 80 (from PPPoE1 Outbound)
12/20/2012 09:05:27 **TCP FIN Scan** 192.168.2.222, 52350->> 88.221.243.51, 80 (from PPPoE1 Outbound)
12/20/2012 09:05:27 **TCP FIN Scan** 192.168.2.222, 49223->> 197.84.130.34, 80 (from PPPoE1 Outbound)
I also 'caught' it in wireshark; I've set a display filter ip.addr=197.84.130.34 for the attached log. The other ip-addresses above show similar data. The most relevant data (as far as I can see).
Code:
3112 653.464793 192.168.2.222 197.84.130.34 TCP 54 49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
3113 653.464811 192.168.2.222 197.84.130.34 TCP 54 49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
3114 653.464829 192.168.2.222 197.84.130.34 TCP 54 49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
3115 653.464848 192.168.2.222 197.84.130.34 TCP 54 49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
3116 653.464865 192.168.2.222 197.84.130.34 TCP 54 49219 > http [FIN, ACK] Seq=3260 Ack=26373 Win=42240 Len=0
3117 653.780000 192.168.2.222 197.84.130.34 TCP 54 49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
3119 653.835989 192.168.2.222 197.84.130.34 TCP 54 49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
3123 653.887984 192.168.2.222 197.84.130.34 TCP 54 49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
3124 653.907988 192.168.2.222 197.84.130.34 TCP 54 49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
3129 654.411988 192.168.2.222 197.84.130.34 TCP 54 49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
3132 654.463114 192.168.2.222 197.84.130.34 TCP 54 49221 > http [FIN, ACK] Seq=2768 Ack=12599 Win=42240 Len=0
3133 654.579986 192.168.2.222 197.84.130.34 TCP 54 49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
3137 654.735989 192.168.2.222 197.84.130.34 TCP 54 49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
3138 654.795995 192.168.2.222 197.84.130.34 TCP 54 49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
3139 654.819988 192.168.2.222 197.84.130.34 TCP 54 49219 > http [FIN, ACK] Seq=3260 Ack=26373 Win=42240 Len=0
3145 655.679991 192.168.2.222 197.84.130.34 TCP 54 49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
3147 656.071995 192.168.2.222 197.84.130.34 TCP 54 49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
3150 656.343988 192.168.2.222 197.84.130.34 TCP 54 49221 > http [FIN, ACK] Seq=2768 Ack=12599 Win=42240 Len=0
3152 656.435991 192.168.2.222 197.84.130.34 TCP 54 49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
3153 656.575991 192.168.2.222 197.84.130.34 TCP 54 49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
3162 658.215990 192.168.2.222 197.84.130.34 TCP 54 49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
3164 659.056004 192.168.2.222 197.84.130.34 TCP 54 49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
3173 659.840003 192.168.2.222 197.84.130.34 TCP 54 49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
3179 660.135990 192.168.2.222 197.84.130.34 TCP 54 49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
3299 663.279999 192.168.2.222 197.84.130.34 TCP 54 49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
3418 665.023988 192.168.2.222 197.84.130.34 TCP 54 49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
3532 666.639995 192.168.2.222 197.84.130.34 TCP 54 49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
3535 667.263987 192.168.2.222 197.84.130.34 TCP 54 49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
3543 673.408004 192.168.2.222 197.84.130.34 TCP 54 49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
3544 676.960004 192.168.2.222 197.84.130.34 TCP 54 49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
3553 680.224013 192.168.2.222 197.84.130.34 TCP 54 49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
3555 681.503992 192.168.2.222 197.84.130.34 TCP 54 49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
3577 693.664003 192.168.2.222 197.84.130.34 TCP 54 49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
3578 700.832005 192.168.2.222 197.84.130.34 TCP 54 49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
3589 707.424006 192.168.2.222 197.84.130.34 TCP 54 49224 > http [FIN, ACK] Seq=2701 Ack=8941 Win=42240 Len=0
3595 709.984005 192.168.2.222 197.84.130.34 TCP 54 49223 > http [FIN, ACK] Seq=3678 Ack=21604 Win=42240 Len=0
3644 734.240002 192.168.2.222 197.84.130.34 TCP 54 49220 > http [FIN, ACK] Seq=2829 Ack=60760 Win=48640 Len=0
3652 748.576003 192.168.2.222 197.84.130.34 TCP 54 49222 > http [FIN, ACK] Seq=3690 Ack=56439 Win=42240 Len=0
More extensive logs can be provided if needed.
When I compare this with other wireshark captures that contain http [FIN, ACK], they seem to be acknowledged. Lack of acknowledgement might be the cause of the problem (but my knowledge is too limited to be sure).
So, now I'm curious about the way forward.
PS the scans happen a couple of times aday and only while browsing the web (browser used is firefox 17.0.1)
Last edited by Wim Sturkenboom; 12-20-2012 at 12:45 PM.
|
|
|
|
|
12-20-2012, 01:42 PM
|
#5
|
|
Member
Registered: Dec 2002
Posts: 303
Rep: 
|
Yes, your computer is communicating with an HTTP server and eventually tries to end the connections gracefully with FINs. However, the server isn't responding to them so your computer continues to resend the FINs until it gives up. It doesn't look like a FIN scan at all to me.
|
|
|
|
|
12-22-2012, 04:52 AM
|
#6
|
|
Senior Member
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,780
Original Poster
|
Thanks.
What confuses me is that there seem to be three options - the client attempts to gracefully close the connection and it works ([fin, ack] both ways and a terminating [ack])
- the client attempts to gracefully close the connection and it does not work, resulting in 'tcp fin scan' alerts
- the client does not try to close the connection (no [fin, ack] at all)
But I'm no longer worried about the 'tcp fin scan' as I now understand what is going on and will mark as solved.
Last edited by Wim Sturkenboom; 12-22-2012 at 04:53 AM.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 09:47 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
