> Date: Sat, 03 Feb 2007 11:35:00 +0100
> From: Richard van den Berg <richard.vandenberg_at_ins.com>
> Subject: Nmap does not notice ACK packets
> To: nmap-dev_at_insecure.org
>
> I am scanning a fairly large network using -sS and I have some hosts
> respond to nmap's SYN packet with only an ACK. I know this is a strange
> way to behave for a host. Has anyone ever seens this before? It seems
> intermittent because when I scan the host a second time, all is good.
> Even when I craft the exact same packets using hping2, the host will
> responds with SYN ACK (as it should).
>
> The thing is, nmap 4.20 never reacts to these ACK packet. The port shows
> up as filtered, and is not used to send TCP probes to either. I am not
> sure what "state" nmap should give to such a port. Maybe open|filtered ?
>
What you're seeing is possibly a firewall device of some kind, or maybe
an IPS that is configured with SYN flood protection. I know that the
Symantec firewalls have done this in the past, and it messes up other
stateful firewalls in between that are expecting the SYN-ACK instead. If
you could find out the device that's doing it, it would be a useful
piece of information.
--
Mark Boltz
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790)
reply of the Pennsylvania Assembly to the Governor
November 11, 1755
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Feb 05 2007
Intro
