Security Incidents: Re: Invalid TCP header flags

["Crist J. Clark" <crist.clark () attbi com>]

On Mon, Jul 08, 2002 at 03:22:21PM -0500, kyle.r.maxwell () verizon com wrote:
> We're seeing occasional TCP traffic with FIN-RST-ACK or FIN-PSH-RST-ACK set
> in the header. The strange part is that it's always set for port 110 (this
> is in fact a legitimate POP server). The traffic is observed inside the
> firewall; I don't have an IDS sensor outside.
>
> Could this just be port scanning,
Yes, but probably no.

> OS fingerprinting,
Yes, but probably no.

> a broken stack,
Yes.

> or something else?
Yes.

> I've googled around but haven't found too much useful info,
> other than to see that other folks have seen similar stuff.
I think the interesting thing to note is that the RST-flag is set. It
is extremely rare to see a RST in a hostile packet since it takes a
_really_ broken stack to ever respond to a TCP packet with the RST
set.

If these come with any frequency, it would be interesting to do a
packet capture and see exactly what goes on before and after these fly
by.
-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com