RE: Strange replies on closed port

From: "Lars Troen" <Lars.Troen@xxxxxx>
Date: Wed, 1 Feb 2006 10:37:57 +0100

a and b seems to be clear:
a: firewalled host
b: non-firewalled host

These observations seem to be correct.

c and d are a bit strange: Who is responding with the
icmp-messages: the target-host or a packetfilter? Especially
the hping-message in d confuses me a bit.
What should be the default behaviour for an ip-stack if it
gets a SYN on a closed Port?

The default behaviour is to send an icmp packet with port unreachable.
Host d) is filtered by an access list on the router in front of the
server.

Lars

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Prev by Date: Re: Pen Testing Novell
Next by Date: Re: Different methods of obtaining exploits
Previous by thread: Strange replies on closed port
Next by thread: RE: Strange replies on closed port
Index(es):
- Date
- Thread

Relevant Pages

RE: eEye Blink and other Endpoint IPS solutions.
... > Is there anyone out there using Host Based Intrusion Detection ... > on system performance and how their effectiveness compares to NIPS. ... while HIPS are great at stack-based detection (please forgive ... about DDoS attacks, you need NIPS. ...
(Focus-IDS)
An argument AGAINST hosting your own email domain.
... we'll host unlimited mailboxes ... to 'auth attacks', NDR attacks, attacks which have yet to be invented, or ... In the past we didn't like the 'POP Connector', there was a problem where it ... get rid of your global mailboxes and set up individual ...
(microsoft.public.windows.server.sbs)
Re: repeated ssh login attempts/failure/break-in attempts from kiddy script
... like 100-200 logins, fails and goes away. ... These attacks should be a warning to you. ... I haven't enabled inetd in so long I don't remember what's in it, but it's amazing how many boxes are still running chargen, rpc.statd and a host of other services that are completely unnecessary ... Being secure and staying secure is your responsibility. ...
(freebsd-questions)
Re: Dhcp security
... hard "true" end-point security is going to be. ... remote registry is to redirect the RPC ports to a "clean" host which could ... right people could carry some of these attacks off. ... One thing I particularly note about having a common quarantine network ...
(Focus-Microsoft)
RE: Strange server test tool
... the "Host:" key in the request header with the IP address of your choice. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
(Pen-Test)