Security Incidents mailing list archives
RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
From: "Hornat, Charles" <Charles_Hornat () standardandpoors com>
Date: Fri, 27 Dec 2002 11:57:50 -0500
In turn, couldn't this be turned into an attack? A DOS of sorts? Charles -----Original Message----- From: Fyodor [mailto:fyodor () insecure org] Sent: Tuesday, December 24, 2002 2:18 PM To: alfaentomega Cc: incidents () securityfocus com Subject: Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second On Mon, Dec 23, 2002 at 09:33:59PM -0800, alfaentomega wrote:
I found out that by default nmap doesn't scan every port (before that I thought every port is scanned without explicite -p), so I ran "nmap -p1- localhost" and every time I saw something betwen 0 and 3 (usually there were 2) ports which were reported by nmap as open, but during the scan there was "Strange read error from 127.0.0.1 (104): Operation now in progress" for every one of them.
This may be a problem with your Linux kernel. When Nmap (or many other applications, such as Telnet) does a connect() call, the OS is supposed to choose a good souce port to bind to for the connection. When you connect() to a ephemeral port (1024-4999 or so) on localhost, there is a chance that the system will decide to use as a source port the very port you are connecting to. In a bizarre twist, the application then ends up "connecting to itself"! I consider this to be a Linux kernel bug, but my reports to the linux-kernel list (and offers to fix the problem) have been unheeded. Here is my first posting (from 1999): http://marc.theaimsgroup.com/?l=linux-kernel&m=93598368005241&w=2 So the short summary is that it is just a Linux bug which the developers argue is a feature that they don't intend to fix. I do have a workaround in place for Nmap versions released in the last two or three years -- what version of Nmap are you using and what are the exact command-line arguments? New versions of the Nmap Security Scanner can be found at http://www.insecure.org/nmap/ Cheers, Fyodor ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -------------------------------------------------------- The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. Thank you, Standard & Poor's -------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 24)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Pavel Kankovsky (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Fyodor (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- <Possible follow-ups>
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Charles . Fasching (Dec 27)
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Hornat, Charles (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Pavel Kankovsky (Dec 27)