Security Incidents: Re: odd scans?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: odd scans?

From: Brett Glass <brett () lariat org>
Date: Wed, 29 May 2002 14:47:56 -0600

At 12:21 PM 5/24/2002, Kyle R. Hofmann wrote:

I've seen similar behavior from a misbehaving Linux 2.2.19 system.  I don't
know what triggered it, but it began trying to reset connections that weren't
there:

05:41:44.057978 xxx.62174 > yyy.zz: R 1060312:1060312(0) win 0
05:42:38.212257 xxx.62175 > yyy.zz: R 1060356:1060356(0) win 0
05:53:50.091303 xxx.62176 > yyy.zz: R 1060312:1060312(0) win 0


[Snip]

Resetting connections which are not there is frequently a symptom
of SYN flooding by someone who's spoofing your source address. We
see this sort of "backscatter" frequently. A stateful firewall can
help by blocking SYN-ACKs and ACKs when an outbound SYN was never 
sent.

--Brett Glass


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

odd scans? Scott, Michael R. (May 24)
- Re: odd scans? Kyle R. Hofmann (May 24)
  - Re: odd scans? Brett Glass (May 29)
- Re: odd scans? Matt Zimmerman (May 24)
- Re: odd scans? Bamm (Robert) Visscher (May 24)
- <Possible follow-ups>
- RE: odd scans? Smith, Donald (May 26)
- RE: odd scans? Bamm (Robert) Visscher (May 28)