Security Incidents mailing list archives
RE: Unusual TCP port 53 scan
From: "Golden_Eternity" <bhodi () bigfoot com>
Date: Mon, 4 Jun 2001 11:31:06 -0700
From: Keith Owens [mailto:kaos () ocs com au] Subject: Unusual TCP port 53 scan Just got hit by a scan for TCP port 53. It is unusual in that each SYN packet has an associated RST packet with almost identical timestamp. Any idea which vulnerability they are trying to use? It smells like an attack on some NAT box. Logs are GMT. 2001/06/04-12:03:42.677548 216.207.243.167.2417 > 203.34.97.5.53: S 737509983:737509983(0) win 32120 <mss 1460,sackOK,timestamp 67939961 0,nop,wscale 0> (DF) 2001/06/04-12:03:42.687548 216.207.243.167.2417 > 203.34.97.5.53: R 0:0(0) win 0
Looks like a "half-open" or stealth scan. Rather than completing the three-way handshake, the scanner sends an RST on receipt of SYN/ACK. The nmap man page has more info (look for the -sS option). This is what it looks like through tcpdump. 11:23:49.670000 10.0.0.2.55793 > 10.0.0.1.53: S [tcp sum ok] 3064273040:3064273040(0) win 2048 (ttl 49, id 27693, len 40) 11:23:49.670000 10.0.0.1.53 > 10.0.0.2.55793: S [tcp sum ok] 3236380483:3236380483(0) ack 3064273041 win 32696 <mss 536> (DF) (ttl 64, id 3567, len 44) 11:23:49.670000 10.0.0.2.55793 > 10.0.0.1.53: R [tcp sum ok] 3064273041:3064273041(0) win 0 (DF) (ttl 255, id 0, len 40)
Current thread:
- Unusual TCP port 53 scan Keith Owens (Jun 04)
- RE: Unusual TCP port 53 scan Golden_Eternity (Jun 04)