Re: 24-Hour Beta: Nmap 4.69BETA1

[Fyodor <fyodor () insecure org>]

On Sun, Sep 07, 2008 at 08:30:40PM -0500, Alan Jones wrote:
> TRACEROUTE (using port 22/tcp)
> HOP RTT   ADDRESS
> 1   1.00  home (192.168.x.xx)
> 2   14.00 adsl-70-xx-x-x.dsl.ltrkar.sbcglobal.net (70.232.xx.xxx)

I think this sbcglobal.net machine (or, possibly, software running on
your own machine) is spoofing the port 80 RST packets "from" scanme.
Maybe SBC is running a transparent web proxy cache on port 80.  ISPs
sometimes do similar things with port 25 as well.  A giveaway is the
responses you received with a TTL of 255, like this:

RCVD (0.2650s) TCP 64.13.134.52:80 > 192.168.1.67:35207 R ttl=255 id=1192 iplen=63  seq=3390443990 win=0

That should only happen if they were generated from the next hop
machine (or from software on your machine itself).

I think this is a good example of how Nmap can help in understanding
and detecting these sorts of network anomalies.  One thing we could
consider doing is making certain ports likely to have such shenanigans
(like tcp 25, 80, and 113) be considered "less desirable" than other
ports by the new Nmap timing ping selector.  But I'm not sure whether
this problem is common enough to merit a special case like that.  And
in any case, these sorts of results are sometimes desirable to better
understand the network.

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org