Invalid TCP header flags

Date: 07/08/02

Date: Mon, 8 Jul 2002 15:22:21 -0500

We're seeing occasional TCP traffic with FIN-RST-ACK or FIN-PSH-RST-ACK set
in the header. The strange part is that it's always set for port 110 (this
is in fact a legitimate POP server). The traffic is observed inside the
firewall; I don't have an IDS sensor outside.

Could this just be port scanning, OS fingerprinting, a broken stack, or
something else? I've googled around but haven't found too much useful info,
other than to see that other folks have seen similar stuff.

Kyle Maxwell
InfoSec Engineer
Global Security Operations Center
Verizon International Security
Office  - 972-929-1287
Hotline - 972-929-1290

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see:

Relevant Pages

  • Re: Client certificate private key prompt
    ... Windows Server 2003 server without the Header manually added to the request. ... Frame 34 will be closing the connection. ... Protocol: TCP ... Transmission Control Protocol, Src Port: 2954, Dst Port: https, ...
  • PuTTY terminate on open Alteon Director - Contains packet dump (LONG POSTING)
    ... Using SSH protocol version 1 ... I have also tried multiple different protocol settings and bugs ... Header checksum: 0xbdc1 ... Transmission Control Protocol, Src Port: 2759, Dst Port: ssh ...
  • Re: mystery martian source from - more details
    ... > MAC address in the data link header. ... > This is a TCP reset packet from the WWW server port. ... Transmission Control Protocol, Src Port: http, Dst Port: ...
  • Re: HELP REQUIRED - Strange Hacking Attempt!!!!
    ... I am running OnTrack NetDefense firewall and AtGuard. ... The strange thing is that NetDefense lists the ... > Remote Port: 67 ... > Could it simply be an Internet router or something harmless? ...
  • Sygate Firewall warning
    ... Ethernet II (Packet Length: 76) ... Internet Protocol ... Header checksum: 0x76cd ... Source port: 1161 ...