Re: When tethering through my (UK) mobile provider, nmap reports closed ports as open

[Jaime T <enopatch () gmail com>]

On 12/02/2019, David Fifield <david () bamsoftware com> wrote:
> I have heard that some network equipment will speculatively inject a
> false SYN/ACK for every SYN, in order to decrease perceived latency, or
> something. You may be able to get some more information using the
> --reason option, which will show the TTL of received packets. If the
> SYN/ACK is being injected, it will probably have a TTL that is
> inconsistent with non-injected packets, for example the echo-reply.

Thank you for your reply, David. I've very recently decided to switch from
my existing O2 (UK) MVNO to a Three (UK) MVNO, and here are the
(abbreviated) outputs of the 2 scans while I'm tethering via the 2 different
mobile networks:

1) Via the O2 MVNO (problem present):
$ nmap --reason -p81 scanme.nmap.org
Host is up, received reset ttl 59 (0.058s latency).
PORT   STATE SERVICE   REASON
81/tcp open  hosts2-ns syn-ack ttl 59

2) Via the Three MVNO (problem not present):
$ nmap --reason -p81 scanme.nmap.org
Host is up, received echo-reply ttl 50 (0.20s latency).
PORT   STATE  SERVICE   REASON
81/tcp closed hosts2-ns reset ttl 50

I'm not at all sure whether these results explain exactly what is causing
the problem while I tether via the O2 MVNO, but I can only assume something
in the O2 network is doing something it shouldn't. I'm also surprised that
they (O2) are "allowed" to do it (perhaps I've completely misunderstood
Internet governance, but aren't there rules about this kind of stuff?)
Anyway, at least I get correct results when I tether via my new mobile
network provider, so I guess that means the problem is "kind-of" resolved
for me. Thank you again for your help.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/