[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: RE: RST after 111 Probe
From: Jim.Slora () phra ! com (James C ! Slora Jr ! )
Date: 2002-03-27 15:31:11
[Download RAW message or body]
My firewall should have dropped the incoming SYN silently, so the middle
portion of the handshake should not have happened. I guess I need to sniff
for outbound ack leaks in my FW.
- Jim
-----Original Message-----
From: Glenn Forbes Fleming Larratt [mailto:glratt@rice.edu]
Sent: Wednesday, March 27, 2002 10:22 AM
To: James C. Slora Jr.
Cc: intrusions@incidents.org
Subject: Re: RST after 111 Probe
Most likely the prober is spoofing somebody else's address, so the flow
goes:
prober [spoofing bystander] -> target : SYN 111 - "wanna portmap?"
target -> bystander : SYNack or RST(ack) from 111 -
"Yes/no/maybe/whatever"
bystander -> target : RST(ack) 111 "I didn't say anything"
-g
On Wed, 27 Mar 2002, James C. Slora Jr. wrote:
> Date: Wed, 27 Mar 2002 10:08:27 -0500
> From: James C. Slora Jr. <Jim.Slora@phra.com>
> To: intrusions@incidents.org
> Subject: RST after 111 Probe
>
> Is this prober being sweet by cleaning up after his connection attempts,
or
> is there some other explanation? It is a real rarity for me to get an RST
> packet from a hostile prober.
>
> 2002-03-27 06:54:33 61.186.142.195 to myhost Tcp src 59000 dst 111 SYN
> e6 78 00 6f 30 87 c2 41 00 00 00 00 60 02 22 38 87 62 00 00 02 04 05 b4
>
> 2002-03-27 06:54:35 61.186.142.195 to myhost Tcp src 59000 dst 111 RST
> e6 78 00 6f 30 87 c2 42 00 00 00 00 50 04 22 38 9f 1b 00 00
>
> - Jim
>
>
Glenn Forbes Fleming Larratt
Rice University Network Management
glratt@rice.edu
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic