Security Incidents mailing list archives
Unusual TCP port 53 scan
From: Keith Owens <kaos () ocs com au>
Date: Mon, 04 Jun 2001 22:46:12 +1000
Just got hit by a scan for TCP port 53. It is unusual in that each SYN packet has an associated RST packet with almost identical timestamp. Any idea which vulnerability they are trying to use? It smells like an attack on some NAT box. Logs are GMT. 2001/06/04-12:03:42.677548 216.207.243.167.2417 > 203.34.97.5.53: S 737509983:737509983(0) win 32120 <mss 1460,sackOK,timestamp 67939961 0,nop,wscale 0> (DF) 2001/06/04-12:03:42.687548 216.207.243.167.2417 > 203.34.97.5.53: R 0:0(0) win 0 2001/06/04-12:03:43.527483 216.207.243.167.2420 > 203.34.97.8.53: S 734717774:734717774(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF) 2001/06/04-12:03:43.537478 216.207.243.167.2420 > 203.34.97.8.53: R 0:0(0) win 0 2001/06/04-12:03:43.547473 216.207.243.167.2421 > 203.34.97.9.53: S 736268655:736268655(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF) 2001/06/04-12:03:43.547473 216.207.243.167.2421 > 203.34.97.9.53: R 0:0(0) win 0 2001/06/04-12:03:43.557468 216.207.243.167.2422 > 203.34.97.10.53: S 737261904:737261904(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF) 2001/06/04-12:03:43.567463 216.207.243.167.2422 > 203.34.97.10.53: R 0:0(0) win 0 2001/06/04-12:03:43.577458 216.207.243.167.2423 > 203.34.97.11.53: S 739120319:739120319(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF) 2001/06/04-12:03:43.577458 216.207.243.167.2423 > 203.34.97.11.53: R 0:0(0) win 0 etc.
Current thread:
- Unusual TCP port 53 scan Keith Owens (Jun 04)
- RE: Unusual TCP port 53 scan Golden_Eternity (Jun 04)