Invalid TCP header flags

From: kyle.r.maxwell@verizon.com
Date: 07/08/02


From: kyle.r.maxwell@verizon.com
To: incidents@securityfocus.com
Date: Mon, 8 Jul 2002 15:22:21 -0500

We're seeing occasional TCP traffic with FIN-RST-ACK or FIN-PSH-RST-ACK set
in the header. The strange part is that it's always set for port 110 (this
is in fact a legitimate POP server). The traffic is observed inside the
firewall; I don't have an IDS sensor outside.

Could this just be port scanning, OS fingerprinting, a broken stack, or
something else? I've googled around but haven't found too much useful info,
other than to see that other folks have seen similar stuff.

--
Kyle Maxwell
InfoSec Engineer
Global Security Operations Center
Verizon International Security
Office  - 972-929-1287
Hotline - 972-929-1290
kyle.r.maxwell@verizon.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Client certificate private key prompt
    ... Windows Server 2003 server without the Header manually added to the request. ... Frame 34 will be closing the connection. ... Protocol: TCP ... Transmission Control Protocol, Src Port: 2954, Dst Port: https, ...
    (microsoft.public.dotnet.framework)
  • PuTTY terminate on open Alteon Director - Contains packet dump (LONG POSTING)
    ... Using SSH protocol version 1 ... I have also tried multiple different protocol settings and bugs ... Header checksum: 0xbdc1 ... Transmission Control Protocol, Src Port: 2759, Dst Port: ssh ...
    (comp.security.ssh)
  • Re: mystery martian source from 127.0.0.1 - more details
    ... > MAC address in the data link header. ... > This is a TCP reset packet from the WWW server port. ... Transmission Control Protocol, Src Port: http, Dst Port: ...
    (comp.os.linux.security)
  • Re: HELP REQUIRED - Strange Hacking Attempt!!!!
    ... I am running OnTrack NetDefense firewall and AtGuard. ... The strange thing is that NetDefense lists the ... > Remote Port: 67 ... > Could it simply be an Internet router or something harmless? ...
    (comp.security.firewalls)
  • Sygate Firewall warning
    ... Ethernet II (Packet Length: 76) ... Internet Protocol ... Header checksum: 0x76cd ... Source port: 1161 ...
    (alt.computer.security)