[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    RE: RST after 111 Probe
From:       Jim.Slora () phra ! com (James C !  Slora Jr ! )
Date:       2002-03-27 15:31:11
[Download RAW message or body]

My firewall should have dropped the incoming SYN silently, so the middle
portion of the handshake should not have happened. I guess I need to sniff
for outbound ack leaks in my FW.

- Jim

-----Original Message-----
From: Glenn Forbes Fleming Larratt [mailto:glratt@rice.edu]
Sent: Wednesday, March 27, 2002 10:22 AM
To: James C. Slora Jr.
Cc: intrusions@incidents.org
Subject: Re: RST after 111 Probe


Most likely the prober is spoofing somebody else's address, so the flow
goes:

    prober [spoofing bystander] -> target : SYN 111 - "wanna portmap?"
    target -> bystander : SYNack or RST(ack) from 111 -
"Yes/no/maybe/whatever"
    bystander -> target : RST(ack) 111 "I didn't say anything"

	-g


On Wed, 27 Mar 2002, James C. Slora Jr. wrote:

> Date: Wed, 27 Mar 2002 10:08:27 -0500
> From: James C. Slora Jr. <Jim.Slora@phra.com>
> To: intrusions@incidents.org
> Subject: RST after 111 Probe
>
> Is this prober being sweet by cleaning up after his connection attempts,
or
> is there some other explanation? It is a real rarity for me to get an RST
> packet from a hostile prober.
>
> 2002-03-27	06:54:33	61.186.142.195	to myhost Tcp	src 59000	dst 111	SYN
> e6 78 00 6f 30 87 c2 41 00 00 00 00 60 02 22 38 87 62 00 00 02 04 05 b4
>
> 2002-03-27	06:54:35	61.186.142.195	to myhost Tcp	src 59000	dst 111	RST
> e6 78 00 6f 30 87 c2 42 00 00 00 00 50 04 22 38 9f 1b 00 00
>
> - Jim
>
>

				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glratt@rice.edu


[prev in list] [next in list] [prev in thread] [next in thread]