Re: Another odd scan...

From: Muhammad Faisal Rauf Danka (mfrd@attitudex.com)
Date: 07/13/02


Date: Sat, 13 Jul 2002 13:30:10 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
To: incidents@securityfocus.com


('binary' encoding is not supported, stored as-is)

well CRW is Congestion Window Reduced and ECN is Explicit Congestion
Notification in TCP/IP headers.

TCP inclused a 6 bit reserved field for future use as defined in RFC
793, 2 of those six reserved fields to be used for ECN purposes as
defined in RFC 3168.

8th bit= CWR (Congestion Window Reduced)
9th bit= ECE (ECN-Echo)

hope it helps... =)
 
references = RFC 793 and 3168.

Regards,
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk

--- message from Adam Young <adam@vbfx.com> attached:

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag



attached mail follows:


('binary' encoding is not supported, stored as-is)
Date: Thu, 11 Jul 2002 21:56:35 -0400
From: Adam Young <adam@vbfx.com>
To: incidents@securityfocus.com



--SNIP--
Jul 11 21:52:48 element kernel: (catch-all logging):: IN=eth0 OUT= MAC=*
SRC=80.97.2.93 DST=24.215.x.y LEN=60 TOS=0x00 PREC=0x00 TTL=34 ID=64252
DF PROTO=TCP SPT=33124 DPT=77 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
--SNIP--

        I got this for about 2 minutes, every 20 seconds or so, I just thought
it especially weird with "CWR ECE SYN", looking as to what the meaning
of this is.

        Any help is appreciated greatly,

                Adam






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com