Port Scanning Through Tarpits

Port Scanning Through Tarpits

During service discovery, I occasionally run into hosts that will report every single port as open. Obviously this is because something in front or on the target host is replying with SYN, ACKs for every SYN sent (in the case of a typical SYN scan).

 

This behavior, from my observations, is indicative of a firewall. The only firewall I have ever personally configured that replicates this behavior is netfliter/iptables with the xtables-addons, specifically the TARPIT target. The TARPIT target does more than just make every port appear to be open, but for this write-up that's all we are concerned about.

 

I have configured a host-based firewall on a linux host to show this. First, let's look at what happens when we perform SYN scan using Nmap.

 

Port Scanning Through Tarpits 1

 

We observe the expected behavior, Nmap shows that every port is open. Using Wireshark, let's look at the packet capture for some more detail.

 

Port Scanning Through Tarpits 2
 

We see that that server is sending a SYN, ACK for every single port that is sent a SYN. This makes detecting legitimate available services nearly impossible.

 

However, I recently discovered a way to detect a legitimate service by looking for the Maximum Segment Size (MSS) in the TCP options. According to my observations, this option will never be set in the fake replies, but will mostly always be set in a legitimate one. To show this, let's look at a SYN, ACK reply from a port that I know is open.

 

Port Scanning Through Tarpits 3

 

We see that the MSS value is set to 1460 bytes. Now, a look at a fake reply.

 

Port Scanning Through Tarpits 4

 

No MSS value set.

 

There you have it: To detect a legitimate service, we can look for the MSS option in the reply to our SYN. I created a POC (mss_scan.py). Here is a screenshot using it against a Windows host on an internal network that was reporting every port as open.

 

Port Scanning Through Tarpits 5

 

In this instance, the host was behind a Juniper router. Further research has shown that this method will not work against all firewalls that proxy TCP connections. I’ll be releasing a tool that will work against all of these devices soon.