SYN/ACK to port 53

["DeCamp, Paul" <PDeCamp () MedManageSystems com>]

OK, this is beginning to drive me nuts.  Since about February of this year,
our firewall has been periodically hit with what can only be a probe,
attack, whatever to port 53.  Every time the scan exhibits the same behavior
and is from the same set of IP addresses.

A SYN/ACK packet is sent to TCP port 53.  No SYN was sent from our system.
The SYN & ACK sequence numbers appear to be random, but the ACK is always 1
less than the SYN.  Our system responds with a RST to the ACK.

I have searched books, the Internet (SANS, SecuityFocus, etc.), and while I
have found other reports of somewhat-simlar activity, I have to this day
found no coherent explanation as to what this is.  Based on the SYN/ACK
numbers, this is obviously some sort of malformed packet, but to what
purpose?  To spoof our system into thinking that it has sent a SYN when it
hasn't?  Is it a type of SYN flood?  To hijack a port on our system?  A scan
for some trojan?

Any assistance would be appreciated, and better yet, any advice as to where
on the Internet is a good location for looking up such obviously abnormal
activity and what possible explanations may be.  Thanks.

------------------
Paul DeCamp, IT Operations Lead
MedManage Systems Inc.
Voice:  (425) 354-2212
E-Mail: PDeCamp () medmanagesystems com