Re: syn+fin = stupid?

[Bill Owens <owens () NYSERNET ORG>]

On Sat, 29 Jul 2000 marvin () NSS NU wrote:
> I just noticed that a box in korea (210.223.100.97) checked port 21 and
> port 53 one day. He/she checked port 21 twice (approx. 2 hours apart) and
> port 53 three times (also approx. 2 hours apart). Both were closed all
> day, and have never been open on that IP, ever.

I saw two such probes about a week ago. The signature is that the packets
are to and from the same port, have SIN and FIN set, and have the same
sequence numbers. The first set is from Australia (Kidznet) and the second
from Korea (the Suwon Office of Education, Kyonggi Province). Nothing
since then. According to KRNIC whois, the probe you saw was also from
Kyonggi province (this time from a commercial, though).

07/22/00

23:05:19.594765 202.46.32.201.111 > a.b.c.9.111: SF
1733154369:1733154369(0) win 1028
23:05:20.095005 202.46.32.201.111 > a.b.c.34.111: SF
1733154369:1733154369(0) win 1028
23:05:22.794739 202.46.32.201.111 > a.b.c.169.111: SF
1893436362:1893436362(0) win 1028

07/24/00

03:28:37.887900 211.42.98.17.109 > a.b.c.34.109: SF 884664815:884664815(0)
win 1028
03:28:38.090054 211.42.98.17.109 > a.b.c.44.109: SF 580487402:580487402(0)
win 1028
03:28:40.589623 211.42.98.17.109 > a.b.c.169.109: SF
2119746587:2119746587(0) win 1028

I have no idea what tool does this, but someone else saw a similar probe
10 days ago from the Netherlands, and reported it to the SANS GIAC list:
<http://www.sans.org/y2k/072100.htm>

Bill.

Bill Owens
Network Engineer
NYSERNet, Inc.