Security Incidents mailing list archives
SYN/ACK probe attempt to TCP 3072?
From: SIU Credit Union IS Dept <isdept () cecc net>
Date: Wed, 7 Mar 2001 12:36:39 -0600
(Curt Wilson) Here is something I don't normally see, any advice/comments? Mar 06 04:30:57 [192.149.115.1] %PIX-6-106015: Deny TCP (no connection) from 204.178.125.65/25 to 192.168.x.x/3072 flags SYN ACK on interface outside Remote system belongs to an Internet chess club. Connection appears to originate from an SMTP port on the remote side, attempts to connect to TCP port 3072, with SYN ACK flags. The SYN ACK flags, in normal operation, indicate that this is a reply to a connection origination. So, if this were legit traffic, it would indicate that the our extranet system initiated the sending of an email to this remote system. However, if this were the case, the PIX firewall would have an entry in its state table that allowed the connection back through.Since there is no way that I know of to trick the PIX state table, I suspect that this is a crafted packet designed to fool access control mechanisms with the combination of port 25 and the SYN ACK flags. I have been unable to find reference to port 3072 however, so it is unclear what the attacker may have been after. Its also possible that some type of network problem redirected this connection. Remote host is a BSD box and appears to have many open ports and could very well be compromised. I left a message with the site to notify them of this possibility. Mar 06 04:30:57 [192.149.115.1] %PIX-6-106015: Deny TCP (no connection) from 204.178.125.65/25 to 192.168.x.x/3072 flags SYN ACK on interface outside Curt Wilson, Network Administrator, SIUCU Consultant, Netw3 Consulting
Current thread:
- SYN/ACK probe attempt to TCP 3072? SIU Credit Union IS Dept (Mar 07)
- Re: SYN/ACK probe attempt to TCP 3072? Valdis Kletnieks (Mar 08)