Security Incidents mailing list archives
Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
From: Fyodor <fyodor () insecure org>
Date: Tue, 24 Dec 2002 11:18:16 -0800
On Mon, Dec 23, 2002 at 09:33:59PM -0800, alfaentomega wrote:
I found out that by default nmap doesn't scan every port (before that I thought every port is scanned without explicite -p), so I ran "nmap -p1- localhost" and every time I saw something betwen 0 and 3 (usually there were 2) ports which were reported by nmap as open, but during the scan there was "Strange read error from 127.0.0.1 (104): Operation now in progress" for every one of them.
This may be a problem with your Linux kernel. When Nmap (or many other applications, such as Telnet) does a connect() call, the OS is supposed to choose a good souce port to bind to for the connection. When you connect() to a ephemeral port (1024-4999 or so) on localhost, there is a chance that the system will decide to use as a source port the very port you are connecting to. In a bizarre twist, the application then ends up "connecting to itself"! I consider this to be a Linux kernel bug, but my reports to the linux-kernel list (and offers to fix the problem) have been unheeded. Here is my first posting (from 1999): http://marc.theaimsgroup.com/?l=linux-kernel&m=93598368005241&w=2 So the short summary is that it is just a Linux bug which the developers argue is a feature that they don't intend to fix. I do have a workaround in place for Nmap versions released in the last two or three years -- what version of Nmap are you using and what are the exact command-line arguments? New versions of the Nmap Security Scanner can be found at http://www.insecure.org/nmap/ Cheers, Fyodor ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 24)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Pavel Kankovsky (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Fyodor (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- <Possible follow-ups>
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Charles . Fasching (Dec 27)
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Hornat, Charles (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Pavel Kankovsky (Dec 27)