The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Blocking queSO Packets

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Blocking queSO packets

Q:

How do I block packets generated by the queSO security tool?

A:

This information is provided by Alfredo Andres Omella:

The last months I have noticed a growth of the use of a tool called "queSO" original from [email protected] This security tool tries to guess the Operating System (version included) of a host that have a TCP port open (listen) to the world (like public web servers, public ftp servers, etc.) sending packets with tcp flags combinations that don't make any sense and an ack number of 0, after reading the received tcp flags and the tcp window from the public server this tool can guess your Operating System.

These are the steps that I have follow to stop the queSO tcp packets:

First I created a new Service to match those TCP packets that have the flag ACK activated and the ack number = 0, or have activated simultaneously the RESET and another flag, or the TCP flags value is greater than 58, or activated simultaneously the SYN flag and the FIN flag. This is a service of type Other with the following:

Name: queSO
Match: tcp, (th_flags & TH_ACK, th_ack = 0) or (th_flags > 58) or (th_flags & TH_SYN, th_flags & TH_FIN) or (th_flags & TH_RST, th_flags > TH_RST)
Prologue:

Next, I modified the default TCP Maximum Segment Size on the affected servers and I put a 1460 default MSS 'cause my servers are into a Ethernet (MTU 1500) and I take a "liberal position" (that's I assumed the IP header and the TCP header are minimum size). (The trick is in modify the default MSS value but not leaving it in 1460). This can change depending your point of view, your MTU, etc.

And finally I have put this rule in the first place of my rulebase:

No. Source Destination Service Action
1 Any my_servers queSO Drop

I believe that it must have a better way to handle this but I can't find it.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.