RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second

["Hornat, Charles" <Charles_Hornat () standardandpoors com>]

In turn, couldn't this be turned into an attack?  A DOS of sorts?

Charles

-----Original Message-----
From: Fyodor [mailto:fyodor () insecure org]
Sent: Tuesday, December 24, 2002 2:18 PM
To: alfaentomega
Cc: incidents () securityfocus com
Subject: Re: Random unprivileged TCP ports below 5000 kind-of open for a
fraction of a second


On Mon, Dec 23, 2002 at 09:33:59PM -0800, alfaentomega wrote:
> I found out that by default nmap doesn't scan every
> port (before that I thought every port is scanned
> without explicite -p), so I ran "nmap -p1- localhost"
> and every time I saw something betwen 0 and 3 (usually
> there were 2) ports which were reported by nmap as
> open, but during the scan there was "Strange read
> error from 127.0.0.1 (104): Operation now in progress"
> for every one of them.

This may be a problem with your Linux kernel.  When Nmap (or many
other applications, such as Telnet) does a connect() call, the OS is
supposed to choose a good souce port to bind to for the connection.
When you connect() to a ephemeral port (1024-4999 or so) on localhost,
there is a chance that the system will decide to use as a source port
the very port you are connecting to.  In a bizarre twist, the
application then ends up "connecting to itself"!  I consider this to
be a Linux kernel bug, but my reports to the linux-kernel list (and
offers to fix the problem) have been unheeded.  Here is my first
posting (from 1999):

http://marc.theaimsgroup.com/?l=linux-kernel&m=93598368005241&w=2

So the short summary is that it is just a Linux bug which the
developers argue is a feature that they don't intend to fix.
I do have a workaround in place for Nmap versions released in the last
two or three years -- what version of Nmap are you using and what are
the exact command-line arguments?

New versions of the Nmap Security Scanner can be found at
http://www.insecure.org/nmap/

Cheers,
Fyodor

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
 
 
 
--------------------------------------------------------
The information contained in this message is intended only for the recipient, and may be a confidential attorney-client 
communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this 
message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended 
recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have 
received this communication in error, please immediately notify us by replying to the message and deleting it from your 
computer.
 
Thank you,
 
Standard & Poor's
 
--------------------------------------------------------

 
 
 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com