Security Incidents mailing list archives
Re: Unusual scan pattern
From: bejtlich () TEXAS NET (Richard Bejtlich)
Date: Thu, 20 Jan 2000 09:56:19 -0000
Hi Russell, I have seen the same sort of traffic, where the source and dest ports are the same (such as 53:53 or 143:143), and only the ACK flags are set. Given the Argus "E" flag for an "established" session, this sounds like Argus may have seen ACK packets in your event also. I believe this sort of traffic is an implementation of a "TCP ping," such as the nmap -PT feature. See: http://www.insecure.org/nmap/nmap_manpage.html The theory is: ports on hosts which exist will reply with RST ACK packets, revealing their existence. This is true for open and closed ports, although abnormalities may occur (i.e., ACK packet prompts SYN ACK response, breaking the RFC). I've seen this activity in isolation, as in an attempt to map out a network, or in conjunction with active scanning for services. Richard ----- HI folks, I have not seen this type of scan before so I am forwarding the argus logs for others to examine. ...snip... The E flag on these means that argus thought that the incoming packets were part of an established tcp stream for which it had not seen the handshake packets. Our hosts respond with a RST. Note source and destination ports are the same -- Is this some form of tcp 'ping' designed to go through packet filters? ...snip... Cheers, Russell
Current thread:
- Unusual scan pattern Russell Fulton (Jan 18)
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Michael Vaughan (Jan 19)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Cy Schubert - ITSD Open Systems Group (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Ex Machina [xm] (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File CyberPsychotic (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Dug Song (Jan 22)
- Re: Unusual scan pattern Granquist, Lamont (Jan 19)
- Slow scan Mixmaster (Jan 19)
- Re: Unusual scan pattern Richard Bejtlich (Jan 20)
- Re: Unusual scan pattern Kevin Houle (Jan 20)
- Re: Unusual scan pattern Russell Fulton (Jan 23)
- semi careful, very patient attacker Jon Paul, Nollmann (Jan 24)
- <Possible follow-ups>
- Re: Unusual scan pattern Oliver Friedrichs (Jan 19)
- Unknown Port Numbers Edwin Covert (Jan 21)
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Michael Vaughan (Jan 19)