Invalid TCP header flags

Date: 07/08/02

Date: Mon, 8 Jul 2002 15:22:21 -0500

We're seeing occasional TCP traffic with FIN-RST-ACK or FIN-PSH-RST-ACK set
in the header. The strange part is that it's always set for port 110 (this
is in fact a legitimate POP server). The traffic is observed inside the
firewall; I don't have an IDS sensor outside.

Could this just be port scanning, OS fingerprinting, a broken stack, or
something else? I've googled around but haven't found too much useful info,
other than to see that other folks have seen similar stuff.

Kyle Maxwell
InfoSec Engineer
Global Security Operations Center
Verizon International Security
Office  - 972-929-1287
Hotline - 972-929-1290

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: