Content #
Stealth port scans, by definition, aren’t meant to be detectable. They are based on how the TCP protocol stack responds to unexpected packets, or packets with illegal state flag combinations.
For example, consider an incoming packet that has the ACK flag set but has no related connection.
If the ACK were sent to a port with a listening server attached, the TCP stack wouldn’t find a related connection and would return a TCP RST message to tell the sender to reset the connection.
If the ACK were sent to an unused port, the system would simply return a TCP RST message as an error indication, just as the firewall might return an ICMP error message by default.
The issue is further complicated because some firewalls test only for the SYN flag or the ACK flag. If neither is set, or if the packet contains some other combination of flags, the firewall implementation might pass the packet up to the TCP code. Depending on the TCP state flag combination and the operating system receiving the packet, the system will respond with an RST or with silence. This mechanism can be used to help identify the operating system that the target system is running. In any of these cases, the receiving system isn’t likely to log the event.
Inducing a target host to generate an RST packet in this manner also can be used to map a network, determining the IP addresses of systems listening on the network. This is especially helpful if the target system isn’t a server and its firewall has been set to silently drop unwanted packets.
From #
Linux Security: Enhancing Security with nftables and Beyond