Invalid TCP header flags
From: kyle.r.maxwell@verizon.comDate: 07/08/02
- Previous message: Alexander Bochmann: "Re: Apache Worm / ddos"
- Next in thread: Crist J. Clark: "Re: Invalid TCP header flags"
- Reply: Crist J. Clark: "Re: Invalid TCP header flags"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: kyle.r.maxwell@verizon.com To: incidents@securityfocus.com Date: Mon, 8 Jul 2002 15:22:21 -0500
We're seeing occasional TCP traffic with FIN-RST-ACK or FIN-PSH-RST-ACK set
in the header. The strange part is that it's always set for port 110 (this
is in fact a legitimate POP server). The traffic is observed inside the
firewall; I don't have an IDS sensor outside.
Could this just be port scanning, OS fingerprinting, a broken stack, or
something else? I've googled around but haven't found too much useful info,
other than to see that other folks have seen similar stuff.
-- Kyle Maxwell InfoSec Engineer Global Security Operations Center Verizon International Security Office - 972-929-1287 Hotline - 972-929-1290 kyle.r.maxwell@verizon.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Alexander Bochmann: "Re: Apache Worm / ddos"
- Next in thread: Crist J. Clark: "Re: Invalid TCP header flags"
- Reply: Crist J. Clark: "Re: Invalid TCP header flags"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
