RE: SYN/ACK to port 53

["Golden_Eternity" <bhodi () bigfoot com>]

> -----Original Message-----
> From: Ryan Russell [mailto:ryan () securityfocus com]
> Sent: Thursday, May 24, 2001 12:37 PM
>
> On Thu, 24 May 2001, DeCamp, Paul wrote:
>
> > A SYN/ACK packet is sent to TCP port 53.  No SYN was sent from our
system.
> > The SYN & ACK sequence numbers appear to be random, but the ACK is
always 1
> > less than the SYN.  Our system responds with a RST to the ACK.
>
> Exactly what you would expect to see if someone sent them a spoofed packet
> claiming to be from your IP address, source port 53.  What are the other
> port numbers?
>
> Now why someone would do that, I can't say.  There are some passive
> fingerprinting techniques this might apply for..
>
>                                       Ryan

This SYN/ACK packet reminded me of a thread from about two weeks ago, "DNS
ports and scans" which included discussion of filtering TCP requests to 53.
One suggestion was to filter inbound connections without the ACK bit set.

If both a normal SYN packet and a spoofed SYN/ACK packet were sent, and the
response compared an attacker might be able to determine if there were a
server listening on the port (but filters were in place) versus nothing
listening at all. For example, if the SYN/ACK received an RST, but the SYN
returned no response, that could suggest that there is/was/will be something
on that port. Its not conclusive, but a decent foundation for a "best guess"
kind of thing.

I don't know if any scanners like this currently exist (its probably hidden
in nmap somewhere), but it seems interesting.