Security Incidents mailing list archives

Re: syn+fin = stupid?

From: Denis Ducamp <Denis.Ducamp () HSC FR>
Date: Sat, 29 Jul 2000 23:01:52 +0200

On Sat, Jul 29, 2000 at 11:57:14AM +0200, marvin () NSS NU wrote:

I just noticed that a box in korea (210.223.100.97) checked port 21 and
port 53 one day. He/she checked port 21 twice (approx. 2 hours apart) and
port 53 three times (also approx. 2 hours apart). Both were closed all
day, and have never been open on that IP, ever.

I just have one question:

Why syn+fin? Isn't syn+fin something that will NEVER turn up in legit
traffic? It sticks out like nothing else (well, few other things anyway).


syn+fin isn't a legit traffic but all (?) Unix tcp/ip stack think that
syn+fin is a legit traffic and reply with a syn+ack or a rst+ack :

# hping -S -F -p 22 127.0.0.1
eth0 default routing interface selected (according to /proc)
HPING 127.0.0.1 (eth0 127.0.0.1): SF set, 40 headers + 0 data bytes
44 bytes from 127.0.0.1: flags=SA seq=0 ttl=64 id=0 win=30912 rtt=4.7 ms

# hping -S -F -p 24 127.0.0.1
eth0 default routing interface selected (according to /proc)
HPING 127.0.0.1 (eth0 127.0.0.1): SF set, 40 headers + 0 data bytes
40 bytes from 127.0.0.1: flags=RA seq=0 ttl=255 id=0 win=0 rtt=4.0 ms

I think that some old scan detectors didn't looked at such paquets...

Those packets don't work against MicroSoft tcp/ip stacks.

Denis Ducamp.

--
Denis.Ducamp () hsc fr -- Hervé Schauer Consultants -- http://www.hsc.fr/

Current thread:

syn+fin = stupid? marvin (Jul 29)
- Re: syn+fin = stupid? James Stevenson (Jul 31)
- Re: syn+fin = stupid? Bill Owens (Jul 31)
- Re: syn+fin = stupid? spaceork (Jul 31)
- Re: syn+fin = stupid? Denis Ducamp (Jul 31)
- <Possible follow-ups>
- Re: syn+fin = stupid? marvin (Jul 31)
- Re: syn+fin = stupid? J. Oquendo (Jul 31)
- Re: syn+fin = stupid? Derek Becker (Jul 31)