Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second

[Fyodor <fyodor () insecure org>]

On Mon, Dec 23, 2002 at 09:33:59PM -0800, alfaentomega wrote:
> I found out that by default nmap doesn't scan every
> port (before that I thought every port is scanned
> without explicite -p), so I ran "nmap -p1- localhost"
> and every time I saw something betwen 0 and 3 (usually
> there were 2) ports which were reported by nmap as
> open, but during the scan there was "Strange read
> error from 127.0.0.1 (104): Operation now in progress"
> for every one of them.

This may be a problem with your Linux kernel.  When Nmap (or many
other applications, such as Telnet) does a connect() call, the OS is
supposed to choose a good souce port to bind to for the connection.
When you connect() to a ephemeral port (1024-4999 or so) on localhost,
there is a chance that the system will decide to use as a source port
the very port you are connecting to.  In a bizarre twist, the
application then ends up "connecting to itself"!  I consider this to
be a Linux kernel bug, but my reports to the linux-kernel list (and
offers to fix the problem) have been unheeded.  Here is my first
posting (from 1999):

http://marc.theaimsgroup.com/?l=linux-kernel&m=93598368005241&w=2

So the short summary is that it is just a Linux bug which the
developers argue is a feature that they don't intend to fix.
I do have a workaround in place for Nmap versions released in the last
two or three years -- what version of Nmap are you using and what are
the exact command-line arguments?

New versions of the Nmap Security Scanner can be found at
http://www.insecure.org/nmap/

Cheers,
Fyodor

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com