Is it possible to detect port scans on OSX at the kernel level? I would like to write a kext that detects the ip addresses of systems scanning my computers ports.
How exactly does a stealth scan work? Doesn't the kernel get notified when a port is accessed from outside?
A stealth scan as it is commonly called is a half open TCP connection. Rather than:
SYN ->
<- SYN/ACK
ACK ->
it goes
SYN ->
<- SYN/ACK
RST ->
It's only referred to as stealth because many applications log a connection on its listening port. As this scan never completes the TCP connection, no log entry is made. Its in no way undetectable. The network stack in the kernel will still receive notification on the connection just the application listening on the port does not.
A bit more information is available here
