Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unusual scan pattern

From: bejtlich () TEXAS NET (Richard Bejtlich)
Date: Thu, 20 Jan 2000 09:56:19 -0000

Hi Russell,

I have seen the same sort of traffic, where the source and dest ports
are the same (such as 53:53 or 143:143), and only the ACK flags are
set.  Given the Argus "E" flag for an "established" session, this sounds
like Argus may have seen ACK packets in your event also.  I believe this
sort of traffic is an implementation of a "TCP ping," such as the nmap
-PT feature.  

See:  http://www.insecure.org/nmap/nmap_manpage.html  

The theory is: ports on hosts which exist will reply with RST ACK packets,
revealing their existence.  This is true for open and closed ports, although
abnormalities may occur (i.e., ACK packet prompts SYN ACK response, breaking
the RFC).  I've seen this activity in isolation, as in an attempt to map
out a network, or in conjunction with active scanning for services.

Richard

-----
HI folks,
        I have not seen this type of scan before so I am forwarding the
argus logs for others to examine.
...snip...
The E flag on these means that argus thought that the incoming packets were
part of an established tcp stream for which it had not seen the handshake
packets.  Our hosts respond with a RST.  Note source and destination ports
are the same -- Is this some form of tcp 'ping' designed to go through
packet filters?
...snip...
Cheers, Russell
Previous By Date Next
Previous By Thread Next

Current thread: