RE: Strange replies on closed port

["Lars Troen" <Lars.Troen () sit no>]

> a and b seems to be clear:
> a: firewalled host
> b: non-firewalled host

These observations seem to be correct. 

> c and d are a bit strange: Who is responding with the 
> icmp-messages: the target-host or a packetfilter? Especially 
> the hping-message in d confuses me a bit.
> What should be the default behaviour for an ip-stack if it 
> gets a SYN on a closed Port?

The default behaviour is to send an icmp packet with port unreachable.
Host d) is filtered by an access list on the router in front of the
server.

Lars

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------