On Thu, 9 Jul 1998, Lamont Granquist wrote: > As a followup to this, I've been informed by two people now[*] that Linux > boxes will respond to SYN|FIN with a SYN|FIN|ACK on an open port. > Therefore this probably indicates that the SYN|FIN packets were not only > an attempt to get past poorly designed firewalls, but probably an attempt > to ID the system being probed as a Linux box as well. First off, an apology for being so late in a follow-up on this subject. Initially I was at a loss as to what exactly was going on with this port zero buisness, but after sending some (carefully phrased) email to root at one of the origins of the port 0 packets, I found out what exactly is going on. The good news is that it is most definitely a port scanner and not a DoS attack. The person I contacted informed me that he was doing some (relatively) harmless statistics gathering, and was using a program called "linuxportz 0.1" (which I have yet to find time to track down, and is part of the reason for my delayed followup) written by someone called crazy-b, and dated 28.02.98. The code reportedly allows you to choose the source port for the scan, and the default value is zero. IMHO, it's either a side effect or a bug that it actually uses port 0, rather than selecting a free port automatically (it _is_ a 0.1 version, after all) but I haven't decided which yet. I have (since the first few emails) heard nothing further from the person. My guess (due to his age) is that he's in trouble with his parents. *chuckle* I hope they're not too hard on him because he was at least polite enough to apologize for alarming me. And to contradict the statement made by another poster, most port scanners do _not_ use a source port of 0. In fact, two things about this scanner make it stand out like a sore thumb among normal network traffic. The first is that while its stealth feature may cause getsockname() to fail and return error 107 (Transport endpoint is not connected; as a result of the socket descriptor being built and torn down practically in the same breath) which sufficiently hides the source of the connection from normal daemons that interface at the transport layer, there is almost no normal incidence in which this type of packet would be useful. The SYN and FIN both being set in the same packet sticks out like a sore thumb once you know to look for it. The second fault is that, well, port 0 is one of those things that you also almost never ever see in normal network traffic ...especially as an origination point. I'll give crazy-b points for trying a new theory, but in practice this isn't very stealthy, IMHO.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:14 PDT