Security Basics mailing list archives

Re: Is this normal?

From: Kluge <kluge () blackroses com>
Date: Wed, 27 Oct 2004 15:28:07 -0400 (EDT)

Why couldn't it be the case here? Somebody could very well bemaking direct attacks against the machine -- but trying to hide theattempts by flooding that same box with massive amounts of b.s. probes...This is an ancient technique...


-k


On Wed, 27 Oct 2004, Barrie Dempster wrote:

On Fri, 2004-10-22 at 12:34 -0300, Joe Polk wrote:

It's not necessarily unusual. Someone is scanning for open ports and such and
is attempting to come in.

<snip>

They most certainly are not, in this case.
You can't scan for open ports if the packets contain a fake return
address like this. In order for the scanning machine to know that a port
is open it requires something to be sent back (ie.. SA). as has been
mentioned before this is most likely a syn flood type attack.

--
Barrie Dempster (zeedo) - Fortiter et Strenue

 http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Current thread:

Is this normal? Erlend Lorentzen (Oct 21)
- Re: Is this normal? Joe Polk (Oct 22)
  - Re: Is this normal? Barrie Dempster (Oct 27)
    - Re: Is this normal? Kluge (Oct 27)
    - Re: Is this normal? Kenneth R Swain II (Oct 27)
- Re: Is this normal? Adam Jones (Oct 22)
- Re: Is this normal? Callan K L Tham (Oct 25)
- Re: Is this normal? xyberpix (Oct 25)
- <Possible follow-ups>
- RE: Is this normal? Shawn Jackson (Oct 22)
- RE: Is this normal? Andrew Shore (Oct 22)
- Re: Is this normal? bp1974 (Oct 22)
  - Re: Is this normal? Jonathan Loh (Oct 25)
    - Re: Is this normal? xyberpix (Oct 26)
    - Re: Is this normal? Jonathan Loh (Oct 26)

(Thread continues...)