Security Incidents mailing list archives

RE: SYN/ACK to port 53

From: Steve Halligan <agent33 () geeksquad com>
Date: Thu, 24 May 2001 16:28:33 -0500

this look familar?
http://www.whitehats.com/library/worms/lion/index.html

OK, this is beginning to drive me nuts.  Since about February 
of this year,
our firewall has been periodically hit with what can only be a probe,
attack, whatever to port 53.  Every time the scan exhibits 
the same behavior
and is from the same set of IP addresses.

A SYN/ACK packet is sent to TCP port 53.  No SYN was sent 
from our system.
The SYN & ACK sequence numbers appear to be random, but the 
ACK is always 1
less than the SYN.  Our system responds with a RST to the ACK.

Current thread:

SYN/ACK to port 53 DeCamp, Paul (May 24)
- Re: SYN/ACK to port 53 Daniel Martin (May 25)
- Re: SYN/ACK to port 53 Ryan Russell (May 25)
  - RE: SYN/ACK to port 53 Golden_Eternity (May 26)
- <Possible follow-ups>
- Re: SYN/ACK to port 53 Bill_Royds (May 25)
- RE: SYN/ACK to port 53 Steve Halligan (May 25)
- RE: SYN/ACK to port 53 DeCamp, Paul (May 25)
- RE: SYN/ACK to port 53 Keith.Morgan (May 25)