> From: Keith Owens [mailto:kaosat_private] > Subject: Unusual TCP port 53 scan > > > Just got hit by a scan for TCP port 53. It is unusual in > that each SYN > packet has an associated RST packet with almost identical timestamp. > Any idea which vulnerability they are trying to use? It > smells like an > attack on some NAT box. Logs are GMT. > > 2001/06/04-12:03:42.677548 216.207.243.167.2417 > > 203.34.97.5.53: S 737509983:737509983(0) win 32120 <mss > 1460,sackOK,timestamp 67939961 0,nop,wscale 0> (DF) > 2001/06/04-12:03:42.687548 216.207.243.167.2417 > > 203.34.97.5.53: R 0:0(0) win 0 Looks like a "half-open" or stealth scan. Rather than completing the three-way handshake, the scanner sends an RST on receipt of SYN/ACK. The nmap man page has more info (look for the -sS option). This is what it looks like through tcpdump. 11:23:49.670000 10.0.0.2.55793 > 10.0.0.1.53: S [tcp sum ok] 3064273040:3064273040(0) win 2048 (ttl 49, id 27693, len 40) 11:23:49.670000 10.0.0.1.53 > 10.0.0.2.55793: S [tcp sum ok] 3236380483:3236380483(0) ack 3064273041 win 32696 <mss 536> (DF) (ttl 64, id 3567, len 44) 11:23:49.670000 10.0.0.2.55793 > 10.0.0.1.53: R [tcp sum ok] 3064273041:3064273041(0) win 0 (DF) (ttl 255, id 0, len 40)
This archive was generated by hypermail 2b30 : Mon Jun 04 2001 - 16:28:36 PDT