In turn, couldn't this be turned into an attack? A DOS of sorts? Charles -----Original Message----- From: Fyodor [mailto:fyodorat_private] Sent: Tuesday, December 24, 2002 2:18 PM To: alfaentomega Cc: incidentsat_private Subject: Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second On Mon, Dec 23, 2002 at 09:33:59PM -0800, alfaentomega wrote: > > I found out that by default nmap doesn't scan every > port (before that I thought every port is scanned > without explicite -p), so I ran "nmap -p1- localhost" > and every time I saw something betwen 0 and 3 (usually > there were 2) ports which were reported by nmap as > open, but during the scan there was "Strange read > error from 127.0.0.1 (104): Operation now in progress" > for every one of them. This may be a problem with your Linux kernel. When Nmap (or many other applications, such as Telnet) does a connect() call, the OS is supposed to choose a good souce port to bind to for the connection. When you connect() to a ephemeral port (1024-4999 or so) on localhost, there is a chance that the system will decide to use as a source port the very port you are connecting to. In a bizarre twist, the application then ends up "connecting to itself"! I consider this to be a Linux kernel bug, but my reports to the linux-kernel list (and offers to fix the problem) have been unheeded. Here is my first posting (from 1999): http://marc.theaimsgroup.com/?l=linux-kernel&m=93598368005241&w=2 So the short summary is that it is just a Linux bug which the developers argue is a feature that they don't intend to fix. I do have a workaround in place for Nmap versions released in the last two or three years -- what version of Nmap are you using and what are the exact command-line arguments? New versions of the Nmap Security Scanner can be found at http://www.insecure.org/nmap/ Cheers, Fyodor ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -------------------------------------------------------- The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. Thank you, Standard & Poor's -------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 15:50:45 PST