Tweet
An interesting use of setting flags during a port scan is the use of the ACK scan which is used to test whether any filtering is being done on the target port. Filtering indicates that a stateful firewall is present between the target host and the attacker. The result that comes back from the probe tell the attacker whether a firewall or router is being used.
Many methods are available to evade or minimize the risk of detection while scanning. One way is to use fragmentation in that a packet is fragmented into multiple pieces with the goal of preventing detection devices from seeing what the original unfragmented packet intended to do. IDS systems like Snort now has the ability to keep the fragmented packets and reassemble them for analysis. IDS systems are not truly real time and this gives IDS systems this ability. For a real-time IPS to do this in wire speed will likely result in latency and packet loss.
Tools that have the capability to do fragmenting includes the following
Many methods are available to evade or minimize the risk of detection while scanning. One way is to use fragmentation in that a packet is fragmented into multiple pieces with the goal of preventing detection devices from seeing what the original unfragmented packet intended to do. IDS systems like Snort now has the ability to keep the fragmented packets and reassemble them for analysis. IDS systems are not truly real time and this gives IDS systems this ability. For a real-time IPS to do this in wire speed will likely result in latency and packet loss.
Tools that have the capability to do fragmenting includes the following
- Nmap
- Fragtest
- Fragroute