Security Incidents mailing list archives

Invalid TCP header flags

From: kyle.r.maxwell () verizon com
Date: Mon, 8 Jul 2002 15:22:21 -0500

We're seeing occasional TCP traffic with FIN-RST-ACK or FIN-PSH-RST-ACK set
in the header. The strange part is that it's always set for port 110 (this
is in fact a legitimate POP server). The traffic is observed inside the
firewall; I don't have an IDS sensor outside.

Could this just be port scanning, OS fingerprinting, a broken stack, or
something else? I've googled around but haven't found too much useful info,
other than to see that other folks have seen similar stuff.

--
Kyle Maxwell
InfoSec Engineer
Global Security Operations Center
Verizon International Security
Office  - 972-929-1287
Hotline - 972-929-1290
kyle.r.maxwell () verizon com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Invalid TCP header flags kyle . r . maxwell (Jul 08)
- Re: Invalid TCP header flags Crist J. Clark (Jul 09)