[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAG-zyRzT5rYwXXdVGy5rx3PFDASy20uoa0S1K3DUYzHwgnpKdw@mail.gmail.com>
Date: Wed, 25 Sep 2013 11:06:48 -0400
From: Justin Ferguson <jf@...co.net>
To: "silence_is_best@...hmail.com" <silence_is_best@...hmail.com>
Cc: Full Disclogure <full-disclosure@...ts.grok.org.uk>
Subject: Re: SYN ACK scans to random ports
Ftr I would expect to see other packets inbound if someone were attempting
to map a firewall; otherwise you wouldn't know if there was a firewall even
in place.
Moreover is there even a firewall out there that doesn't track state
anymore? I'm sure there is but this is likely to be akin to hoping
firewalls wont deal with fragments properly and similar...that doesn't stop
someone from downloading unmapped reading the manpage and trying it though.
The ports in question are probably important; as pointed out, the source
port may help you confirm that they're trying to evade a firewall from the
90s; destination port will give you an idea of what they were after. If
there was a spoofed syn and his boxes were sending syn tacks to the spoofed
address..he would be seeing the synergies too.
Whomever said the bit about checking for a stateful firewall is probably
right; the lack of other types of flags would tell me either they're using
different source Ip or more likely that they're just running some tool
without knowing what they're doing/why they're doing it; they just read
some old text that said it bypasses firewalls.
On Wednesday, September 25, 2013, <silence_is_best@...hmail.com> wrote:
>
>
> On 09/24/2013 at 10:29 PM, "Crist Clark" <cjclark@...m.mit.edu> wrote:
>
> Backscatter. Someone may be sending out spoofed SYNs. The target sends
SYN-ACKs to the spoofed source, you. What's the source port? A well known
service? Do the source addresses really have reachable services on those
ports?
>
> On Sep 24, 2013 7:25 AM, <silence_is_best@...hmail.com> wrote:
>>
>> Can someone explain the point of a SYN ACK scan to random high ports? I
usually see a fair amount of these...at first I thought it was maybe a
block to an initiating SYN packet, but I don't see any evidence that the
SYN ACK isn't the first packet seen. Danke.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> That's a great point Crist I had not thought about that...thanks for the
insight.
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists