Full Disclosure mailing list archives
Re: SYN ACK scans to random ports
From: Justin Ferguson <jf () ownco net>
Date: Wed, 25 Sep 2013 11:06:48 -0400
Ftr I would expect to see other packets inbound if someone were attempting to map a firewall; otherwise you wouldn't know if there was a firewall even in place. Moreover is there even a firewall out there that doesn't track state anymore? I'm sure there is but this is likely to be akin to hoping firewalls wont deal with fragments properly and similar...that doesn't stop someone from downloading unmapped reading the manpage and trying it though. The ports in question are probably important; as pointed out, the source port may help you confirm that they're trying to evade a firewall from the 90s; destination port will give you an idea of what they were after. If there was a spoofed syn and his boxes were sending syn tacks to the spoofed address..he would be seeing the synergies too. Whomever said the bit about checking for a stateful firewall is probably right; the lack of other types of flags would tell me either they're using different source Ip or more likely that they're just running some tool without knowing what they're doing/why they're doing it; they just read some old text that said it bypasses firewalls. On Wednesday, September 25, 2013, <silence_is_best () hushmail com> wrote:
On 09/24/2013 at 10:29 PM, "Crist Clark" <cjclark () alum mit edu> wrote: Backscatter. Someone may be sending out spoofed SYNs. The target sends
SYN-ACKs to the spoofed source, you. What's the source port? A well known service? Do the source addresses really have reachable services on those ports?
On Sep 24, 2013 7:25 AM, <silence_is_best () hushmail com> wrote:Can someone explain the point of a SYN ACK scan to random high ports? I
usually see a fair amount of these...at first I thought it was maybe a block to an initiating SYN packet, but I don't see any evidence that the SYN ACK isn't the first packet seen. Danke.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/That's a great point Crist I had not thought about that...thanks for the
insight.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SYN ACK scans to random ports silence_is_best (Sep 24)
- Re: SYN ACK scans to random ports Fabio (Sep 24)
- Re: SYN ACK scans to random ports Jan Murawski (Sep 25)
- Re: SYN ACK scans to random ports Crist Clark (Sep 24)
- Re: SYN ACK scans to random ports silence_is_best (Sep 25)
- Re: SYN ACK scans to random ports Justin Ferguson (Sep 25)
- Re: SYN ACK scans to random ports silence_is_best (Sep 25)
- Re: SYN ACK scans to random ports Fabio (Sep 24)