Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

invalid ack with F R A bits set
From: Michiel van der Kraats <michiel () backup nl>
Date: Thu, 8 Mar 2001 22:04:59 +0100
Hi,

Snort's portscan module captured this traffic a few days ago:

Mar  4 21:29:33 xxx.xxx.xxx.209:80 -> xxx.xxx.xxx.210:43325 INVALIDACK
***FR*A*
Mar  4 21:29:33 xxx.xxx.xxx.209:80 -> xxx.xxx.xxx.210:34307 INVALIDACK
***FR*A*
Mar  4 21:29:39 xxx.xxx.xxx.209:80 -> xxx.xxx.xxx.210:34307 INVALIDACK
***FR*A*
Mar  4 21:29:54 xxx.xxx.xxx.209:2024 -> xxx.xxx.xxx.210:2819 INVALIDACK
***FR*A*
Mar  4 21:29:54 xxx.xxx.xxx.209:575 -> xxx.xxx.xxx.210:23885 INVALIDACK
***FR*A*
Mar  4 21:29:54 xxx.xxx.xxx.209:573 -> xxx.xxx.xxx.210:23828 INVALIDACK
***FR*A*
Mar  4 21:29:54 xxx.xxx.xxx.209:2232 -> xxx.xxx.xxx.210:7237 INVALIDACK
***FR*A*
Mar  4 21:29:54 xxx.xxx.xxx.209:643 -> xxx.xxx.xxx.210:32015 INVALIDACK
***FR*A*

.209 is an Arescom DSL router (NetDSL 1000) and .210 is our firewall
(OpenBSD-2.8). I have been able to reproduce this behaviour with nmap.
Starting an nmap scan against .209 with the -sS option generates the
same response although only two instances of the INVALID ACK ***FR*A*
are recorded per nmap scan.

--
Michiel

  By Date           By Thread  

Current thread:
  • invalid ack with F R A bits set Michiel van der Kraats (Mar 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]