Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP SYN probe detection tool available

From: brian () saturn net (Brian Mitchell)
Date: Thu, 16 May 1996 12:49:50 -0400

On Thu, 16 May 1996, Henri Karrenbeld wrote:


I am afraid I do not read other security lists besides this one (I glance at
Linux-alert and Linux-security occasionally when linux.dev.* mentions something)And of course stuff like 
cert-advisory, but in none of these have I seen
what actually can be done with SYN packets... Could someone explain this?


Services can be probed for. Let's take 2 short examples:

Attacker sends a syn packet to port 23 (telnet)

There is no server on that port, so the server sends back a rst|syn
sequence (acknowledging the syn, and tearing down the connection).

In this case, nothing was listening, no logs will generally be generated.

Now, an attacker does the same thing, but to say port 25 (smtp)

There is a server on this port, the server sends back a ack|syn sequence

The bad guy now knows there is something on the port, but because the
three way handshake has not been completed it is not logged, the bad guy
can then send a rst tearing down the connection, since he has the
information he is after.

I think some time ago a detailed post was made to this list describing
the various ways a stealth scanner could be implemented, although i'm not
100% sure.

Brian Mitchell                  brian () saturn net
World Wide Web                  http://www.saturn.net/~brian

"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman
Previous By Date Next
Previous By Thread Next

Current thread: