|
Security Incidents
mailing list archives
zero tcp offset packets sent to a honeypot
From: "Costas Karafasoulis" <karafas () mail ariadne-t gr>
Date: Tue, 25 Jun 2002 10:54:10 +0300
Hello all,
An attacker had connected 3 times to the ftp service of an
already compromised honeypot 10.6.1.4 (Redhat 6.2) and then
disconnected. After this
he had send many packets of the form below. The honeypot did not respond
to this packets at all.
Note that tcp length is zero, and the starting point of data is not
known. Some tcpdump implementations or a few related utilities (like
ipsumdump) won't work correctly with this packet. But I can't really
figure out what he is trying to do.
04/20-19:23:37.025924 xxx.xxx.xxx.xxx:80 -> 10.6.1.4:80
TCP TTL:240 TOS:0x80 ID:7977 IpLen:20 DgmLen:64
******** Seq: 0x9A020000 Ack: 0x0 Win: 0xD204 TcpLen: 0
00 00 00 00 00 00 00 00 00 00 00 00 AF 9A 1C 8C ................
D9 6E FC 16 0A 2E 00 00 .
Any ideas??
Thanks!
Costas
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- zero tcp offset packets sent to a honeypot Costas Karafasoulis (Jun 26)
|
Intro
