|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Golden_Eternity (bhodi
bigfoot.com)Date: Mon Jun 04 2001 - 13:31:06 CDT
> From: Keith Owens [mailto:kaosocs.com.au]
> Subject: Unusual TCP port 53 scan
>
>
> Just got hit by a scan for TCP port 53. It is unusual in
> that each SYN
> packet has an associated RST packet with almost identical timestamp.
> Any idea which vulnerability they are trying to use? It
> smells like an
> attack on some NAT box. Logs are GMT.
>
> 2001/06/04-12:03:42.677548 216.207.243.167.2417 >
> 203.34.97.5.53: S 737509983:737509983(0) win 32120 <mss
> 1460,sackOK,timestamp 67939961 0,nop,wscale 0> (DF)
> 2001/06/04-12:03:42.687548 216.207.243.167.2417 >
> 203.34.97.5.53: R 0:0(0) win 0
Looks like a "half-open" or stealth scan. Rather than completing the
three-way handshake, the scanner sends an RST on receipt of SYN/ACK. The
nmap man page has more info (look for the -sS option).
This is what it looks like through tcpdump.
11:23:49.670000 10.0.0.2.55793 > 10.0.0.1.53: S [tcp sum ok]
3064273040:3064273040(0) win 2048 (ttl 49, id 27693, len 40)
11:23:49.670000 10.0.0.1.53 > 10.0.0.2.55793: S [tcp sum ok]
3236380483:3236380483(0) ack 3064273041 win 32696 <mss 536> (DF) (ttl 64, id
3567, len 44)
11:23:49.670000 10.0.0.2.55793 > 10.0.0.1.53: R [tcp sum ok]
3064273041:3064273041(0) win 0 (DF) (ttl 255, id 0, len 40)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]