Check out this posting: http://groups.google.com/groups?q=%22CWR+ECE+SYN%22&hl=en&lr=&ie=UTF-8&oe=UT F-8&selm=1015153098.7313.0.nnrp-12.c1ed31d9%40news.demon.co.uk&rnum=3 ----------------------- On Sat, 02 Mar 2002 16:09:52 +0000, Calum wrote: > Hello All, > > Just wondering if anyone has seen activity from sinectis.com.ar? > I have seen them in my logs before. > Most recent: > > Mar 2 16:04:37 mercury kernel: IN=eth1 OUT= > MAC=00:40:95:43:6f:50:00:d0:ba:1f:0d:54:08:00 SRC=216.244.192.23 > DST=my.ip.add.ress LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=32940 DF > PROTO=TCP SPT=65280 DPT=39255 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 > > What are the CWR and ECE flags? CWR and ECE are used in the SYN packet sent by a host with Explicit Congestion Notification enabled. Some versions of kernel 2.4 had this enabled by default (and it's still user-configurable) so if the packet is legit, it's a fair bet they're using said kernel version. > What is he looking for on port 39255 <http://www.portsdb.org> doesn't list anything, so I suspect they were probing to see if you were protected by a Cisco PIX firewall. Some versions of PIX silently drop packets with ECE/CWR flags set (as they're reserved in RFC 793). If you're allowing SYNs to that port, then they'll normally get a TCP RST (if nothing's listening), SYN-ACK (if something is) and/or one of a number of ICMP *-unreachable messages. If you had a PIX firewall there, they'd get nothing back. If they send a two probes, one with ECE/CWR set, and one not, then that'll give them a strong clue as to whether you're a fan of the Beast of San Francisco. > Add them to the deny-no-matter-what list, I think. > > Might be worth a message to their sysadmins too... Best Regards, Alex. ----------------------- -----Original Message----- From: Adam Young [mailto:adamat_private] Sent: Thursday, July 11, 2002 6:57 PM To: incidentsat_private Subject: Another odd scan... --SNIP-- Jul 11 21:52:48 element kernel: (catch-all logging):: IN=eth0 OUT= MAC=* SRC=80.97.2.93 DST=24.215.x.y LEN=60 TOS=0x00 PREC=0x00 TTL=34 ID=64252 DF PROTO=TCP SPT=33124 DPT=77 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 --SNIP-- I got this for about 2 minutes, every 20 seconds or so, I just thought it especially weird with "CWR ECE SYN", looking as to what the meaning of this is. Any help is appreciated greatly, Adam ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 16:40:14 PDT