Security Basics mailing list archives

Re: Is this normal?

From: Kenneth R Swain II <ken () kenswain com>
Date: Wed, 27 Oct 2004 12:56:58 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Oct 27, 2004, at 8:35 AM, Barrie Dempster wrote:

On Fri, 2004-10-22 at 12:34 -0300, Joe Polk wrote:

It's not necessarily unusual. Someone is scanning for open ports andsuch and
is attempting to come in.

<snip>

They most certainly are not, in this case.
You can't scan for open ports if the packets contain a fake return

address like this. In order for the scanning machine to know that aport

is open it requires something to be sent back (ie.. SA). as has been
mentioned before this is most likely a syn flood type attack.

--
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Wouldn't the -D option let you do a decoy scan? This would let you makea scan look like it is coming from some other place or dummy host.


Ken Swain
mail: ken () kenswain com
im: aim:krswain190
web: kenswain.com
"/dev/geek"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBf9NdTyWvVEql+hsRAo1DAJ0a7EwvkfPHZo72WebXT1+AmsXexQCeL7NQ
huQbf7CLDysqwJ/rBJQUAxo=
=d0cu
-----END PGP SIGNATURE-----

Current thread:

Is this normal? Erlend Lorentzen (Oct 21)
- Re: Is this normal? Joe Polk (Oct 22)
  - Re: Is this normal? Barrie Dempster (Oct 27)
    - Re: Is this normal? Kluge (Oct 27)
    - Re: Is this normal? Kenneth R Swain II (Oct 27)
- Re: Is this normal? Adam Jones (Oct 22)
- Re: Is this normal? Callan K L Tham (Oct 25)
- Re: Is this normal? xyberpix (Oct 25)
- <Possible follow-ups>
- RE: Is this normal? Shawn Jackson (Oct 22)
- RE: Is this normal? Andrew Shore (Oct 22)
- Re: Is this normal? bp1974 (Oct 22)
  - Re: Is this normal? Jonathan Loh (Oct 25)
    - Re: Is this normal? xyberpix (Oct 26)
    - Re: Is this normal? Jonathan Loh (Oct 26)
- Re: Is this normal? H Carvey (Oct 26)