Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

invalid ack with F R A bits set

From: Michiel van der Kraats <michiel () backup nl>
Date: Thu, 8 Mar 2001 22:04:59 +0100
Hi,

Snort's portscan module captured this traffic a few days ago:

Mar  4 21:29:33 xxx.xxx.xxx.209:80 -> xxx.xxx.xxx.210:43325 INVALIDACK
***FR*A*
Mar  4 21:29:33 xxx.xxx.xxx.209:80 -> xxx.xxx.xxx.210:34307 INVALIDACK
***FR*A*
Mar  4 21:29:39 xxx.xxx.xxx.209:80 -> xxx.xxx.xxx.210:34307 INVALIDACK
***FR*A*
Mar  4 21:29:54 xxx.xxx.xxx.209:2024 -> xxx.xxx.xxx.210:2819 INVALIDACK
***FR*A*
Mar  4 21:29:54 xxx.xxx.xxx.209:575 -> xxx.xxx.xxx.210:23885 INVALIDACK
***FR*A*
Mar  4 21:29:54 xxx.xxx.xxx.209:573 -> xxx.xxx.xxx.210:23828 INVALIDACK
***FR*A*
Mar  4 21:29:54 xxx.xxx.xxx.209:2232 -> xxx.xxx.xxx.210:7237 INVALIDACK
***FR*A*
Mar  4 21:29:54 xxx.xxx.xxx.209:643 -> xxx.xxx.xxx.210:32015 INVALIDACK
***FR*A*

.209 is an Arescom DSL router (NetDSL 1000) and .210 is our firewall
(OpenBSD-2.8). I have been able to reproduce this behaviour with nmap.
Starting an nmap scan against .209 with the -sS option generates the
same response although only two instances of the INVALID ACK ***FR*A*
are recorded per nmap scan.

--
Michiel
Previous By Date Next
Previous By Thread Next

Current thread: