Security Incidents mailing list archives
RE: SYN/ACK to port 53
From: "Golden_Eternity" <bhodi () bigfoot com>
Date: Sat, 26 May 2001 02:20:29 -0700
-----Original Message----- From: Ryan Russell [mailto:ryan () securityfocus com] Sent: Thursday, May 24, 2001 12:37 PM On Thu, 24 May 2001, DeCamp, Paul wrote:A SYN/ACK packet is sent to TCP port 53. No SYN was sent from our
system.
The SYN & ACK sequence numbers appear to be random, but the ACK is
always 1
less than the SYN. Our system responds with a RST to the ACK.Exactly what you would expect to see if someone sent them a spoofed packet claiming to be from your IP address, source port 53. What are the other port numbers? Now why someone would do that, I can't say. There are some passive fingerprinting techniques this might apply for.. Ryan
This SYN/ACK packet reminded me of a thread from about two weeks ago, "DNS ports and scans" which included discussion of filtering TCP requests to 53. One suggestion was to filter inbound connections without the ACK bit set. If both a normal SYN packet and a spoofed SYN/ACK packet were sent, and the response compared an attacker might be able to determine if there were a server listening on the port (but filters were in place) versus nothing listening at all. For example, if the SYN/ACK received an RST, but the SYN returned no response, that could suggest that there is/was/will be something on that port. Its not conclusive, but a decent foundation for a "best guess" kind of thing. I don't know if any scanners like this currently exist (its probably hidden in nmap somewhere), but it seems interesting.
Current thread:
- SYN/ACK to port 53 DeCamp, Paul (May 24)
- Re: SYN/ACK to port 53 Daniel Martin (May 25)
- Re: SYN/ACK to port 53 Ryan Russell (May 25)
- RE: SYN/ACK to port 53 Golden_Eternity (May 26)
- <Possible follow-ups>
- Re: SYN/ACK to port 53 Bill_Royds (May 25)
- RE: SYN/ACK to port 53 Steve Halligan (May 25)
- RE: SYN/ACK to port 53 DeCamp, Paul (May 25)
- RE: SYN/ACK to port 53 Keith.Morgan (May 25)