|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Andrea Barisani (lcars
INFIS.UNIV.TRIESTE.IT)Date: Mon Jan 15 2001 - 03:55:04 CST
On Fri, 12 Jan 2001, Jon Gary wrote:
> Off the cuff (and I'm totally guessing here, since I don't have the time to
> check for sure) I'd say that this could be some sort of TCP NULL scan,
> similar to the one that nmap does. By sending a packet with no TCP flags
> set, you can determine if a port is open. If the port is open, you will
> receive no response, but if it is closed, you will get a reset.
Nope, this is not the case, I received them every day from different
(innocent :-) ) hosts on different times, I'm sure that is not a null
scan. It seems a misconfiguration of the server and not a clients problem,
this due to the fact that this type of traffic is always directed to the
same server...maybe that server has some stack problem or it handles
fragmentation in a non-standard way??? (I'm totally guessing here too ;-)
) However the server is a Sun Ultra 10 with Solaris 2.8.
Bye
>
> Jon Gary
> Click To Secure, Inc.
> http://www.clicktosecure.com/
>
> -----Original Message-----
> From: Focus on Intrusion Detection Systems
> [mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Andrea Barisani
> Sent: Friday, January 12, 2001 8:22 AM
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: Odd tcp packets with zeroed flags
>
>
> Hi to all!
>
> Does anyone could explain to me the meaning of this packets?
> I'm receiving them every day and always to the same from different
> hosts...
>
> Here's the dump of some of them:
>
> 01/12-12:23:39.033146 0:E0:1E:9C:D2:81 -> 8:0:20:B0:C7:F1 type:0x800
> len:0x5FC
> x.x.x.x:0 -> server:0 TCP TTL:125 TOS:0x10 ID:39706 IpLen:20
> DgmLen:1480
> ******** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 0
> ................ ...............................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ........................................................H...H...
> P.J.b.J.........................................................
> ........................ .......................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ....................2> &nbs
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 01/12-12:36:22.482601 0:E0:1E:9C:D2:81 -> 8:0:20:B0:C7:F1 type:0x800
> len:0x5FC
> x.x.x.x:0 -> server:0 TCP TTL:125 TOS:0x0 ID:5635 IpLen:20
> DgmLen:1480
> ******** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 0
> ................ ...............................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ........................................................H...H...
> ..J...J.........................................................
> ........................ .......................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ....................anti (sono n
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 01/12-12:36:22.667276 0:E0:1E:9C:D2:81 -> 8:0:20:B0:C7:F1 type:0x800
> len:0x5FC
> x.x.x.x:0 -> server:0 TCP TTL:125 TOS:0x0 ID:5891 IpLen:20
> DgmLen:1480
> ******** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 0
> ................ ...............................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ........................................................H...H...
> . J.. J.........................................................
> ........................ .......................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ..................../DIV>..<DIV>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 01/12-12:36:22.852458 0:E0:1E:9C:D2:81 -> 8:0:20:B0:C7:F1 type:0x800
> len:0x5FC
> x.x.x.x:0 -> server:0 TCP TTL:125 TOS:0x0 ID:6147 IpLen:20
> DgmLen:1480
> ******** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 0
> ................ ...............................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ........................................................H...H...
> .*J..*J.........................................................
> ........................ .......................................
> ................................................................
> ................................................................
> ................................................................
> ................................................................
> ...................., ecc. NO SA
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> Thanks for any help...
>
> Bye
>
------------------------------------------------------------
INFIS Network Administrator & Security Officer
Department of Physics - University of Trieste
lcarsinfis.univ.trieste.it - PGP Key 0x8E21FE82
------------------------------------------------------------
"How would you know I'm mad?" said Alice.
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]