|
Nmap Development
mailing list archives
Re: Nmap does not notice ACK packets
From: Mark Boltz <mboltz () stonegizmo com>
Date: Mon, 05 Feb 2007 09:32:05 -0500
Date: Sat, 03 Feb 2007 11:35:00 +0100
From: Richard van den Berg <richard.vandenberg () ins com>
Subject: Nmap does not notice ACK packets
To: nmap-dev () insecure org
I am scanning a fairly large network using -sS and I have some hosts
respond to nmap's SYN packet with only an ACK. I know this is a strange
way to behave for a host. Has anyone ever seens this before? It seems
intermittent because when I scan the host a second time, all is good.
Even when I craft the exact same packets using hping2, the host will
responds with SYN ACK (as it should).
The thing is, nmap 4.20 never reacts to these ACK packet. The port shows
up as filtered, and is not used to send TCP probes to either. I am not
sure what "state" nmap should give to such a port. Maybe open|filtered ?
What you're seeing is possibly a firewall device of some kind, or maybe
an IPS that is configured with SYN flood protection. I know that the
Symantec firewalls have done this in the past, and it messes up other
stateful firewalls in between that are expecting the SYN-ACK instead. If
you could find out the device that's doing it, it would be a useful
piece of information.
--
Mark Boltz
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790)
reply of the Pennsylvania Assembly to the Governor
November 11, 1755
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
 By Date 
By Thread
Current thread:
|
Intro
