Security Incidents mailing list archives

Re: syn+fin = stupid?

From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Sat, 29 Jul 2000 21:06:38 -0400

Sounds like a script kiddiot using nmap or something similar in which they think SYN/FIN/NULL/XMAS scanning will avoid 
detection.

A variety of scanners tout these methods as evasive even though most are outdated and measures have been taken to 
acknowledge these types of scans.

------Original Message------
From: marvin () NSS NU
To: INCIDENTS () SECURITYFOCUS COM
Sent: July 29, 2000 9:57:14 AM GMT
Subject: syn+fin = stupid?

I just noticed that a box in korea (210.223.100.97) checked port 21 and
port 53 one day. He/she checked port 21 twice (approx. 2 hours apart) and
port 53 three times (also approx. 2 hours apart). Both were closed all
day, and have never been open on that IP, ever.

I just have one question:

Why syn+fin? Isn't syn+fin something that will NEVER turn up in legit
traffic? It sticks out like nothing else (well, few other things anyway).

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup

Current thread:

syn+fin = stupid? marvin (Jul 29)
- Re: syn+fin = stupid? James Stevenson (Jul 31)
- Re: syn+fin = stupid? Bill Owens (Jul 31)
- Re: syn+fin = stupid? spaceork (Jul 31)
- Re: syn+fin = stupid? Denis Ducamp (Jul 31)
- <Possible follow-ups>
- Re: syn+fin = stupid? marvin (Jul 31)
- Re: syn+fin = stupid? J. Oquendo (Jul 31)
- Re: syn+fin = stupid? Derek Becker (Jul 31)