RE: Unusual TCP port 53 scan

["Golden_Eternity" <bhodi () bigfoot com>]

> From: Keith Owens [mailto:kaos () ocs com au]
> Subject: Unusual TCP port 53 scan
>
>
> Just got hit by a scan for TCP port 53.  It is unusual in
> that each SYN
> packet has an associated RST packet with almost identical timestamp.
> Any idea which vulnerability they are trying to use?  It
> smells like an
> attack on some NAT box.  Logs are GMT.
>
> 2001/06/04-12:03:42.677548 216.207.243.167.2417 >
> 203.34.97.5.53: S 737509983:737509983(0) win 32120 <mss
> 1460,sackOK,timestamp 67939961 0,nop,wscale 0> (DF)
> 2001/06/04-12:03:42.687548 216.207.243.167.2417 >
> 203.34.97.5.53: R 0:0(0) win 0

Looks like a "half-open" or stealth scan. Rather than completing the
three-way handshake, the scanner sends an RST on receipt of SYN/ACK. The
nmap man page has more info (look for the -sS option).

This is what it looks like through tcpdump.

11:23:49.670000 10.0.0.2.55793 > 10.0.0.1.53: S [tcp sum ok]
3064273040:3064273040(0) win 2048 (ttl 49, id 27693, len 40)
11:23:49.670000 10.0.0.1.53 > 10.0.0.2.55793: S [tcp sum ok]
3236380483:3236380483(0) ack 3064273041 win 32696 <mss 536> (DF) (ttl 64, id
3567, len 44)
11:23:49.670000 10.0.0.2.55793 > 10.0.0.1.53: R [tcp sum ok]
3064273041:3064273041(0) win 0 (DF) (ttl 255, id 0, len 40)