three-way TCP

Andreas Ericsson ae at op5.se
Fri Oct 8 11:00:46 CEST 2004

Previous message: three-way TCP
Next message: three-way TCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sébastien Cantos wrote:
> Hi,
> 
> You can check if a service (tcp port) is responding just by completing 2
> parts of the 3 way handshake.
> 
> 1/ Client send a Syn to the server
> 2/ Server respond with a Syn/Ack
> 

This is quite obviously not the case with the nagios plugins, for a 
number of reasons.

1. It generally causes some distress for the targeted servers (handles 
left open pending timeout), which Nagios checks wouldn't do.

2. SYN scanning requires access to raw sockets, which isn't permitted to 
regular users on any unix system I'm aware of. The plugins doesn't run 
as root, so they wouldn't be able to obtain a raw socket (also, raw 
sockets are very much more difficult to handle programmatically and 
since they're not needed, it's just plain dumb to use them). There are 
exceptions ofcourse (check_icmp and check_dhcp for instance, for 
protocol reasons) but the source is freely available so you can easily 
vet the relevant plugins.

3. Checks are written to mimic client behaviour. Proper clients don't go 
out of their way to stir up mischief. Unproper ones might, but the 
checks aren't designed to be pen-testing apps, but rather tests of 
proper standards-compliant functionality.

> This is called *stealh* scanning.
> 

No, it's called SYN scanning. Probing with FIN, FIN(URG|PUSH) and empty 
(NULL) packets is called stealth scanning (although lots of tools have 
been developed to detect those too since nmap became a fairly standard 
tool). Try to read more than one script-kiddie hacking page every once 
in a while. If nothing else, it should keep you occupied with something 
legal.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Lead Developer

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: three-way TCP
Next message: three-way TCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list