Security Incidents mailing list archives
Re: syn+fin = stupid?
From: Bill Owens <owens () NYSERNET ORG>
Date: Sat, 29 Jul 2000 22:00:05 -0400
On Sat, 29 Jul 2000 marvin () NSS NU wrote:
I just noticed that a box in korea (210.223.100.97) checked port 21 and port 53 one day. He/she checked port 21 twice (approx. 2 hours apart) and port 53 three times (also approx. 2 hours apart). Both were closed all day, and have never been open on that IP, ever.
I saw two such probes about a week ago. The signature is that the packets are to and from the same port, have SIN and FIN set, and have the same sequence numbers. The first set is from Australia (Kidznet) and the second from Korea (the Suwon Office of Education, Kyonggi Province). Nothing since then. According to KRNIC whois, the probe you saw was also from Kyonggi province (this time from a commercial, though). 07/22/00 23:05:19.594765 202.46.32.201.111 > a.b.c.9.111: SF 1733154369:1733154369(0) win 1028 23:05:20.095005 202.46.32.201.111 > a.b.c.34.111: SF 1733154369:1733154369(0) win 1028 23:05:22.794739 202.46.32.201.111 > a.b.c.169.111: SF 1893436362:1893436362(0) win 1028 07/24/00 03:28:37.887900 211.42.98.17.109 > a.b.c.34.109: SF 884664815:884664815(0) win 1028 03:28:38.090054 211.42.98.17.109 > a.b.c.44.109: SF 580487402:580487402(0) win 1028 03:28:40.589623 211.42.98.17.109 > a.b.c.169.109: SF 2119746587:2119746587(0) win 1028 I have no idea what tool does this, but someone else saw a similar probe 10 days ago from the Netherlands, and reported it to the SANS GIAC list: <http://www.sans.org/y2k/072100.htm> Bill. Bill Owens Network Engineer NYSERNet, Inc.
Current thread:
- syn+fin = stupid? marvin (Jul 29)
- Re: syn+fin = stupid? James Stevenson (Jul 31)
- Re: syn+fin = stupid? Bill Owens (Jul 31)
- Re: syn+fin = stupid? spaceork (Jul 31)
- Re: syn+fin = stupid? Denis Ducamp (Jul 31)
- <Possible follow-ups>
- Re: syn+fin = stupid? marvin (Jul 31)
- Re: syn+fin = stupid? J. Oquendo (Jul 31)
- Re: syn+fin = stupid? Derek Becker (Jul 31)