> -----Original Message----- > From: Ryan Russell [mailto:ryanat_private] > Sent: Thursday, May 24, 2001 12:37 PM > > On Thu, 24 May 2001, DeCamp, Paul wrote: > > > A SYN/ACK packet is sent to TCP port 53. No SYN was sent from our system. > > The SYN & ACK sequence numbers appear to be random, but the ACK is always 1 > > less than the SYN. Our system responds with a RST to the ACK. > > Exactly what you would expect to see if someone sent them a spoofed packet > claiming to be from your IP address, source port 53. What are the other > port numbers? > > Now why someone would do that, I can't say. There are some passive > fingerprinting techniques this might apply for.. > > Ryan > This SYN/ACK packet reminded me of a thread from about two weeks ago, "DNS ports and scans" which included discussion of filtering TCP requests to 53. One suggestion was to filter inbound connections without the ACK bit set. If both a normal SYN packet and a spoofed SYN/ACK packet were sent, and the response compared an attacker might be able to determine if there were a server listening on the port (but filters were in place) versus nothing listening at all. For example, if the SYN/ACK received an RST, but the SYN returned no response, that could suggest that there is/was/will be something on that port. Its not conclusive, but a decent foundation for a "best guess" kind of thing. I don't know if any scanners like this currently exist (its probably hidden in nmap somewhere), but it seems interesting.
This archive was generated by hypermail 2b30 : Sat May 26 2001 - 23:35:26 PDT