Re: Nmap does not notice ACK packets

[Mark Boltz <mboltz () stonegizmo com>]

> Date: Sat, 03 Feb 2007 11:35:00 +0100
> From: Richard van den Berg <richard.vandenberg () ins com>
> Subject: Nmap does not notice ACK packets
> To: nmap-dev () insecure org
>
> I am scanning a fairly large network using -sS and I have some hosts
> respond to nmap's SYN packet with only an ACK. I know this is a strange
> way to behave for a host. Has anyone ever seens this before? It seems
> intermittent because when I scan the host a second time, all is good.
> Even when I craft the exact same packets using hping2, the host will
> responds with SYN ACK (as it should).
>
> The thing is, nmap 4.20 never reacts to these ACK packet. The port shows
> up as filtered, and is not used to send TCP probes to either. I am not
> sure what "state" nmap should give to such a port. Maybe open|filtered ?
>   
What you're seeing is possibly a firewall device of some kind, or maybe 
an IPS that is configured with SYN flood protection. I know that the 
Symantec firewalls have done this in the past, and it messes up other 
stateful firewalls in between that are expecting the SYN-ACK instead. If 
you could find out the device that's doing it, it would be a useful 
piece of information.

-- 
Mark Boltz 

"Those who would give up essential Liberty, to purchase a little 
temporary Safety, deserve neither Liberty nor Safety." 
  -- Benjamin Franklin (1706-1790) 
  reply of the Pennsylvania Assembly to the Governor 
  November 11, 1755



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org