Security Incidents mailing list archives

Re: syn+fin = stupid?

From: marvin () NSS NU
Date: Sun, 30 Jul 2000 16:28:15 +0200

On Sat, 29 Jul 2000, Bill Owens wrote:

On Sat, 29 Jul 2000 marvin () NSS NU wrote:

I just noticed that a box in korea (210.223.100.97) checked port 21 and
port 53 one day. He/she checked port 21 twice (approx. 2 hours apart) and
port 53 three times (also approx. 2 hours apart). Both were closed all
day, and have never been open on that IP, ever.


I saw two such probes about a week ago. The signature is that the packets
are to and from the same port, have SIN and FIN set, and have the same
sequence numbers.


"My" packets also has the same source and destination port (guess I
should have said that before) but not the same sequence numbers. They did
have the same IP ID number though: 39426. I didn't notice it until you
mentioned the sequence numbers.

I also see that all packets had TTL 19. And a traceroute reveals that the
box is 23 hops away. 23+19 = 42. Hmm, that number is pretty common to use
as a "random" number.

I'm gonna write a program that checks for constant ip ids from the
same IP. It seems some people think that not setting a random (or
incremental) ip.id is good. I'll see how much that will get me.

Current thread:

syn+fin = stupid? marvin (Jul 29)
- Re: syn+fin = stupid? James Stevenson (Jul 31)
- Re: syn+fin = stupid? Bill Owens (Jul 31)
- Re: syn+fin = stupid? spaceork (Jul 31)
- Re: syn+fin = stupid? Denis Ducamp (Jul 31)
- <Possible follow-ups>
- Re: syn+fin = stupid? marvin (Jul 31)
- Re: syn+fin = stupid? J. Oquendo (Jul 31)
- Re: syn+fin = stupid? Derek Becker (Jul 31)