Security Incidents mailing list archives
Re: Invalid TCP header flags
From: "Crist J. Clark" <crist.clark () attbi com>
Date: Mon, 8 Jul 2002 16:46:17 -0700
On Mon, Jul 08, 2002 at 03:22:21PM -0500, kyle.r.maxwell () verizon com wrote:
We're seeing occasional TCP traffic with FIN-RST-ACK or FIN-PSH-RST-ACK set in the header. The strange part is that it's always set for port 110 (this is in fact a legitimate POP server). The traffic is observed inside the firewall; I don't have an IDS sensor outside. Could this just be port scanning,
Yes, but probably no.
OS fingerprinting,
Yes, but probably no.
a broken stack,
Yes.
or something else?
Yes.
I've googled around but haven't found too much useful info, other than to see that other folks have seen similar stuff.
I think the interesting thing to note is that the RST-flag is set. It is extremely rare to see a RST in a hostile packet since it takes a _really_ broken stack to ever respond to a TCP packet with the RST set. If these come with any frequency, it would be interesting to do a packet capture and see exactly what goes on before and after these fly by. -- Crist J. Clark | cjclark () alum mit edu | cjclark () jhu edu http://people.freebsd.org/~cjc/ | cjc () freebsd org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Invalid TCP header flags kyle . r . maxwell (Jul 08)
- Re: Invalid TCP header flags Crist J. Clark (Jul 09)