[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] SYN ACK scans to random ports
From: Justin Ferguson <jf () ownco ! net>
Date: 2013-09-25 15:06:48
Message-ID: CAG-zyRzT5rYwXXdVGy5rx3PFDASy20uoa0S1K3DUYzHwgnpKdw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Ftr I would expect to see other packets inbound if someone were attempting
to map a firewall; otherwise you wouldn't know if there was a firewall even
in place.
Moreover is there even a firewall out there that doesn't track state
anymore? I'm sure there is but this is likely to be akin to hoping
firewalls wont deal with fragments properly and similar...that doesn't stop
someone from downloading unmapped reading the manpage and trying it though.
The ports in question are probably important; as pointed out, the source
port may help you confirm that they're trying to evade a firewall from the
90s; destination port will give you an idea of what they were after. If
there was a spoofed syn and his boxes were sending syn tacks to the spoofed
address..he would be seeing the synergies too.
Whomever said the bit about checking for a stateful firewall is probably
right; the lack of other types of flags would tell me either they're using
different source Ip or more likely that they're just running some tool
without knowing what they're doing/why they're doing it; they just read
some old text that said it bypasses firewalls.
On Wednesday, September 25, 2013, <silence_is_best@hushmail.com> wrote:
>
>
> On 09/24/2013 at 10:29 PM, "Crist Clark" <cjclark@alum.mit.edu> wrote:
>
> Backscatter. Someone may be sending out spoofed SYNs. The target sends
SYN-ACKs to the spoofed source, you. What's the source port? A well known
service? Do the source addresses really have reachable services on those
ports?
>
> On Sep 24, 2013 7:25 AM, <silence_is_best@hushmail.com> wrote:
>>
>> Can someone explain the point of a SYN ACK scan to random high ports? I
usually see a fair amount of these...at first I thought it was maybe a
block to an initiating SYN packet, but I don't see any evidence that the
SYN ACK isn't the first packet seen. Danke.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> That's a great point Crist I had not thought about that...thanks for the
insight.
>
[Attachment #5 (text/html)]
Ftr I would expect to see other packets inbound if someone were attempting to map a firewall; \
otherwise you wouldn't know if there was a firewall even in place.<br><br>Moreover is there \
even a firewall out there that doesn't track state anymore? I'm sure there is but this \
is likely to be akin to hoping firewalls wont deal with fragments properly and similar...that \
doesn't stop someone from downloading unmapped reading the manpage and trying it \
though.<br> <br>The ports in question are probably important; as pointed out, the source port \
may help you confirm that they're trying to evade a firewall from the 90s; destination port \
will give you an idea of what they were after. If there was a spoofed syn and his boxes were \
sending syn tacks to the spoofed address..he would be seeing the synergies too.<br> \
<br>Whomever said the bit about checking for a stateful firewall is probably right; the lack of \
other types of flags would tell me either they're using different source Ip or more likely \
that they're just running some tool without knowing what they're doing/why they're \
doing it; they just read some old text that said it bypasses firewalls.<br> <br><br>On \
Wednesday, September 25, 2013, <<a \
href="mailto:silence_is_best@hushmail.com">silence_is_best@hushmail.com</a>> \
wrote:<br>><br>><br>> On 09/24/2013 at 10:29 PM, "Crist Clark" <<a \
href="mailto:cjclark@alum.mit.edu">cjclark@alum.mit.edu</a>> wrote:<br> ><br>> \
Backscatter. Someone may be sending out spoofed SYNs. The target sends SYN-ACKs to the spoofed \
source, you. What's the source port? A well known service? Do the source addresses really \
have reachable services on those ports?<br> ><br>> On Sep 24, 2013 7:25 AM, <<a \
href="mailto:silence_is_best@hushmail.com">silence_is_best@hushmail.com</a>> \
wrote:<br>>><br>>> Can someone explain the point of a SYN ACK scan to random high \
ports? I usually see a fair amount of these...at first I thought it was maybe a block to an \
initiating SYN packet, but I don't see any evidence that the SYN ACK isn't the first \
packet seen. Danke.<br> >><br>>> \
_______________________________________________<br>>> Full-Disclosure - We believe in \
it.<br>>> Charter: <a \
href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
>> Hosted and sponsored by Secunia - <a \
href="http://secunia.com/">http://secunia.com/</a><br>><br>> That's a great point \
Crist I had not thought about that...thanks for the insight.<br>>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic