Thinking about how to use ack scan dos attack? Don’t worry we are here to help you with that. But first, let’s talk about the ACK scans are generally used to identify hosts or ports that may be filtered and resistant to any other form of scanning. A person with bad intentions uses TCP ACK segments to gather all the information about the firewall or ACL configurations.
Many attackers scan people’s routers or just send unwanted requests/traffic. For example ACK, SYN, FIN to some specific UDP/TCP port. They also send continuous harmful and unwanted traffic into particular open ports. This can easily crash our router and make it out of service. So, let’s see some of the steps to help you deal with this issue and how to ack scan dos attack.
How does Ack scan dos attack work?
What happens is a target system is presented with a packet with the ACK flag set with a sequence number of zero to an interesting port. So, if the sequence number is not zero there is a violation of the TCP rules that are associated with that parameter. Then the target sends back an RST. Now when the attacker receives an RST it provides him with the intel the alive. But behind some filtering like some proxies, router, or even a firewall.
When the attacker sends a TCP ACK segment to a closed port or sent out of sync to a listening port. Generally, the device responds with an RST. This RST helps the attacker to recognize and get an idea about the type of firewall.
Now combine it with the SYN techniques an attacker will get a clear picture of the types of packets that can get through. So, that he can understand the firewall ruleset.
Also, ACK scanning when combined with SYN scanning. Also allows the adversary to analyze whether a firewall is stateful or non-stateful.
Two different methods of scanning this behaviour are as follows:
alert tcp 172.16.16.0/24 any -> 172.16.17.0/24 any (flags:A; ack:0; msg: “Potential Ack Scan”; sid: 10001;)
alert tcp 172.16.16.0/24 any -> 172.16.17.0/24 any (flags:AR; msg: “Ack and RST detected-Potential Ack Scan”; sid: 10002;)
The first rule you should keep in mind is the assumption is that the Acknowledgment flag will be set to “0”. This will make the target return to an “RST”.
The second rule looks for the existence of an “RST” with the acknowledgment flat. Rather than looking for the existence of a sub-zero sequence. So, these two flags existing together mean an ACK scan being used for firewalking or reconnaissance purposes.
Mainly, the router is accessible from outside of the network. An attacker can access it by force. So, a typical probe response is given below:
Probe Response - Assigned State --------------------------------------------- ---------------------- TCP RST response - unfiltered No response received (even after retransmissions) - filtered ICMP unreachable error - filtered
Let us provide you with an example of a typical ACK scan:
# nmap -sA -T4 <target> Starting Nmap ( http://nmap.org ) Nmap scan report for target Not shown: 994 filtered ports PORT STATE SERVICE 22/tcp unfiltered ssh 25/tcp unfiltered smtp 53/tcp unfiltered domain 70/tcp unfiltered gopher 80/tcp unfiltered http 113/tcp unfiltered auth Nmap done: 1 IP address (1 host up) scanned in 4.01 seconds
Steps to Mitigate
- Firstly, set up a firewall to filter and scan attempts.
Input the following commands to filter scan attempts with iptables.
iptables -A INPUT -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j DROP iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
- Now reset the IP if its dynamic. After that just turn off the router for the DHCP lease time or spoof a different MAC address.
- The appropriate rules can be applied to DROP PKT like: burst limit/rate, Source limit, destination limit, connection limit, length, etc.
You can use the following IPtables command for the above thing:
$ sudo iptables --append INPUT --source 18.104.22.168 --jump DROP or # iptables -A INPUT -m state --state NEW -j DROP
In this blog, we talked about the Ack scan dos attack. What it is. how it affects us. How the attacker attacks us in different ways. But don’t worry we have also provided the possible solutions that you can use to stop the attack. Hope you find this information useful. Thank you for the read.