Security Incidents mailing list archives

Re: Strange TCP headers

From: Michel Arboi <arboi () yahoo com>
Date: Sat, 11 May 2002 09:32:54 +0200 (CEST)

 --- pbsarnac () ThoughtWorks com a écrit :

The interesting thing is that a majority of the scans are originating
from port 6346, which snort.org informs me is the gnutella server 
port.


I suspect that your Pix is not decoding those packets (or fragments)
correctly.
If this is a new scanning technique, I hardly understand its use. Some
kind of fingerprinting maybe? They would use the 6346 port because it
might be unfiltered (on personal firewall at least), just like some
people used the 20 (FTP data) port to go through stupid stateless
filters.

All those I've verified that at least
two of the clients that these packets were directed to were running
various file-sharing clients.


So I'd rather bet for 
1. an artefact created by the Cisco
2. some data corruption (bad phone line, deffective modem, whatever)
3. some IP layer bug


___________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange TCP headers pbsarnac (May 10)
- Re: Strange TCP headers Matt Zimmerman (May 10)
- Re: Strange TCP headers Michel Arboi (May 11)
  - RE: Strange TCP headers Benjamin Tomhave (May 11)
- <Possible follow-ups>
- RE: Strange TCP headers Robert Buckley (May 10)
- RE: Strange TCP headers pbsarnac (May 10)
- RE: Strange TCP headers Robert Buckley (May 10)
  - RE: Strange TCP headers Dano (May 11)