Security Incidents mailing list archives

Re: SYN/ACK to port 53

From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 24 May 2001 14:36:57 -0600 (MDT)

On Thu, 24 May 2001, DeCamp, Paul wrote:

A SYN/ACK packet is sent to TCP port 53.  No SYN was sent from our system.
The SYN & ACK sequence numbers appear to be random, but the ACK is always 1
less than the SYN.  Our system responds with a RST to the ACK.


Exactly what you would expect to see if someone sent them a spoofed packet
claiming to be from your IP address, source port 53.  What are the other
port numbers?

Now why someone would do that, I can't say.  There are some passive
fingerprinting techniques this might apply for..

                                        Ryan

Current thread:

SYN/ACK to port 53 DeCamp, Paul (May 24)
- Re: SYN/ACK to port 53 Daniel Martin (May 25)
- Re: SYN/ACK to port 53 Ryan Russell (May 25)
  - RE: SYN/ACK to port 53 Golden_Eternity (May 26)
- <Possible follow-ups>
- Re: SYN/ACK to port 53 Bill_Royds (May 25)
- RE: SYN/ACK to port 53 Steve Halligan (May 25)
- RE: SYN/ACK to port 53 DeCamp, Paul (May 25)
- RE: SYN/ACK to port 53 Keith.Morgan (May 25)