Security Incidents mailing list archives
Re: syn+fin = stupid?
From: marvin () NSS NU
Date: Sun, 30 Jul 2000 16:28:15 +0200
On Sat, 29 Jul 2000, Bill Owens wrote:
On Sat, 29 Jul 2000 marvin () NSS NU wrote:I just noticed that a box in korea (210.223.100.97) checked port 21 and port 53 one day. He/she checked port 21 twice (approx. 2 hours apart) and port 53 three times (also approx. 2 hours apart). Both were closed all day, and have never been open on that IP, ever.I saw two such probes about a week ago. The signature is that the packets are to and from the same port, have SIN and FIN set, and have the same sequence numbers.
"My" packets also has the same source and destination port (guess I should have said that before) but not the same sequence numbers. They did have the same IP ID number though: 39426. I didn't notice it until you mentioned the sequence numbers. I also see that all packets had TTL 19. And a traceroute reveals that the box is 23 hops away. 23+19 = 42. Hmm, that number is pretty common to use as a "random" number. I'm gonna write a program that checks for constant ip ids from the same IP. It seems some people think that not setting a random (or incremental) ip.id is good. I'll see how much that will get me.
Current thread:
- syn+fin = stupid? marvin (Jul 29)
- Re: syn+fin = stupid? James Stevenson (Jul 31)
- Re: syn+fin = stupid? Bill Owens (Jul 31)
- Re: syn+fin = stupid? spaceork (Jul 31)
- Re: syn+fin = stupid? Denis Ducamp (Jul 31)
- <Possible follow-ups>
- Re: syn+fin = stupid? marvin (Jul 31)
- Re: syn+fin = stupid? J. Oquendo (Jul 31)
- Re: syn+fin = stupid? Derek Becker (Jul 31)