Re: odd scans?
From: Brett Glass (brett@lariat.org)Date: 05/29/02
- Previous message: H C: "Re: Compromised Win2000 machine."
- In reply to: Kyle R. Hofmann: "Re: odd scans?"
- Next in thread: Matt Zimmerman: "Re: odd scans?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 May 2002 14:47:56 -0600 To: "Kyle R. Hofmann" <krh@lemniscate.net>, "Scott, Michael R." <MICHAEL.R.SCOTT@saic.com> From: Brett Glass <brett@lariat.org>
At 12:21 PM 5/24/2002, Kyle R. Hofmann wrote:
>I've seen similar behavior from a misbehaving Linux 2.2.19 system. I don't
>know what triggered it, but it began trying to reset connections that weren't
>there:
>
>05:41:44.057978 xxx.62174 > yyy.zz: R 1060312:1060312(0) win 0
>05:42:38.212257 xxx.62175 > yyy.zz: R 1060356:1060356(0) win 0
>05:53:50.091303 xxx.62176 > yyy.zz: R 1060312:1060312(0) win 0
[Snip]
Resetting connections which are not there is frequently a symptom
of SYN flooding by someone who's spoofing your source address. We
see this sort of "backscatter" frequently. A stateful firewall can
help by blocking SYN-ACKs and ACKs when an outbound SYN was never
sent.
--Brett Glass
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: H C: "Re: Compromised Win2000 machine."
- In reply to: Kyle R. Hofmann: "Re: odd scans?"
- Next in thread: Matt Zimmerman: "Re: odd scans?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
