Re: odd scans?

From: Brett Glass (brettat_private)
Date: Wed May 29 2002 - 13:47:56 PDT

  • Next message: Mark Newby: "Re: Compromised Win2000 machine."

    At 12:21 PM 5/24/2002, Kyle R. Hofmann wrote:
    >I've seen similar behavior from a misbehaving Linux 2.2.19 system.  I don't
    >know what triggered it, but it began trying to reset connections that weren't
    >05:41:44.057978 xxx.62174 > yyy.zz: R 1060312:1060312(0) win 0
    >05:42:38.212257 xxx.62175 > yyy.zz: R 1060356:1060356(0) win 0
    >05:53:50.091303 xxx.62176 > yyy.zz: R 1060312:1060312(0) win 0
    Resetting connections which are not there is frequently a symptom
    of SYN flooding by someone who's spoofing your source address. We
    see this sort of "backscatter" frequently. A stateful firewall can
    help by blocking SYN-ACKs and ACKs when an outbound SYN was never 
    --Brett Glass
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 29 2002 - 14:21:50 PDT