Security Incidents mailing list archives
invalid ack with F R A bits set
From: Michiel van der Kraats <michiel () backup nl>
Date: Thu, 8 Mar 2001 22:04:59 +0100
Hi, Snort's portscan module captured this traffic a few days ago: Mar 4 21:29:33 xxx.xxx.xxx.209:80 -> xxx.xxx.xxx.210:43325 INVALIDACK ***FR*A* Mar 4 21:29:33 xxx.xxx.xxx.209:80 -> xxx.xxx.xxx.210:34307 INVALIDACK ***FR*A* Mar 4 21:29:39 xxx.xxx.xxx.209:80 -> xxx.xxx.xxx.210:34307 INVALIDACK ***FR*A* Mar 4 21:29:54 xxx.xxx.xxx.209:2024 -> xxx.xxx.xxx.210:2819 INVALIDACK ***FR*A* Mar 4 21:29:54 xxx.xxx.xxx.209:575 -> xxx.xxx.xxx.210:23885 INVALIDACK ***FR*A* Mar 4 21:29:54 xxx.xxx.xxx.209:573 -> xxx.xxx.xxx.210:23828 INVALIDACK ***FR*A* Mar 4 21:29:54 xxx.xxx.xxx.209:2232 -> xxx.xxx.xxx.210:7237 INVALIDACK ***FR*A* Mar 4 21:29:54 xxx.xxx.xxx.209:643 -> xxx.xxx.xxx.210:32015 INVALIDACK ***FR*A* .209 is an Arescom DSL router (NetDSL 1000) and .210 is our firewall (OpenBSD-2.8). I have been able to reproduce this behaviour with nmap. Starting an nmap scan against .209 with the -sS option generates the same response although only two instances of the INVALID ACK ***FR*A* are recorded per nmap scan. -- Michiel
Current thread:
- invalid ack with F R A bits set Michiel van der Kraats (Mar 08)