Security Incidents mailing list archives
Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Thu, 26 Dec 2002 16:50:51 +0100 (MET)
On Mon, 23 Dec 2002, alfaentomega wrote:
First I thought that they may be some ports, which are kind-of open, but they never finish TCP handshake, but they are detected only with basic nmap scan -sT, a TCP connect() scan, and never by any other kind of scan, like -sS SYN half-open scan (if they never finish the handshake, then it would make more sense if -sS detects them, while -sT thinks they're closed, not the other way around - but I may be wrong here). Here are other of my observations: I ran nmap in a loop scanning TCP ports 1-10000 every time (first it scanned 1-65535 but higher ports were never open), and for 1000 ports found, there was 875 unique ones, with lowest 1036 and highest 4989, so they look quite randomly distributed in this range.
Your local port range (/proc/sys/net/ipv4/ip_local_port_range) is 1024-5000, right? You are probably seeing some autobound sockets. Hypothesis: one of the services listening on your machine opens a short-lived listening sockets on an automatically assigned port (ie. in 1024-5000 range) when it accepts a connection. This would explain why SYN scan does not trigger it but connect() scan does. Try this: for each port p in 1-1023 perform a connect() scan of p and 1024-5000 Only a small set of p, perhaps a single value of p--the hypothetic offending service (see above)--should make the mysterious listening port appear. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 24)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Pavel Kankovsky (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Fyodor (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- <Possible follow-ups>
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Charles . Fasching (Dec 27)
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Hornat, Charles (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Pavel Kankovsky (Dec 27)