Re: RST's and ACK's and stealth scans

From: HSKarim (HSKarimat_private)
Date: Sun May 03 1998 - 18:48:55 PDT

  • Next message: Peter Jeremy: "NT vs Unix on the Internet"

    In a message dated 98-05-02 23:59:31 EDT, smbat_private writes:
    << [...snip...]
     Once a connection is set up (that is, has transitioned to ESTABLISHED
     state), all packets will carry the ACK bit.  They must also carry an
     acceptable sequence number.  These provisions both apply to RST messages,
     too.  In this case, though, a RST means that the other side has aborted
     the connection for some reason.
     What flavor RST your firewall should send depends on the connection
     state; if it gets it wrong, the remote side probably won't listen.
     That's definitely the case for a bare RST on an established connection.
     For more details, see RFC 793 and/or a good text on TCP, such as
     Stevens' ``TCP/IP Illustrated, Volume I''.
    I checked RFC 793... but my issues are.... If I am under a stealth scan...
    that is, if someone sent packets that appeared to be a part of another
    connection (by virtue of the ACK bit being set) but weren't really... what
    should I expect to see coming from my firewall in the following cases:
    Scenario... Attacker is coming from Host A and Im at HOST B. Nothing is
    listening on any port. The Initial TCP sequence is some arbitrary number (lets
    say 1234)
    HOST A sends SYN --------------------->HOST B 
    HOST B Should send RST without ACK
    HOST A sends ACK  --------------------->HOST B 
    HOST B Should send what ?
    HOST A sends SYN/ACK --------------------->HOST B 
    HOST B Should send RST with ACK .... (Right? But, what ACK'ed it? No services
    HOST A sends FIN --------------------->HOST B 
    HOST B Should send what ?
    HOST A sends FIN/ACK --------------------->HOST B 
    HOST B Should send what ?
    Once again... I'm just trying to get clarification as to whether RST should
    ALWAYS be accompanied by ACK's or not. And if they are accompanied by ACK's is
    it a valid conclusion that  there was a TCP service listening? 
    Thanks for all of the responses thus far...
    Hassan Karim

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:19 PDT