Nmap marking ports with invalid SYN+ACK TCP checksums as open?

[Jacek Wielemborek <d33tah () gmail com>]

List,

Yesterday I discovered that if Nmap receives a SYN+ACK during a 
SYN scanning that has an invalid TCP checksum, it will say that 
this port is open. This is different than how operating systems 
behave and exploiting it sounds like an easy way to confuse the 
scanner. 

Why is it implemented this way? bonsaiviking on IRC suggested it 
might be "that we'd rather not miss an open port just because of 
a bitflip error somewhere". Still, this might be an interesting 
piece of information that the host is responding with corrupt 
checksums, so maybe Nmap should at least print a warning message 
if this happens?

Yours,
Jacek Wielemborek

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/