Re: Scanning with reverse connections?
Noah Meyerhans wrote:
But does nmap generate the packets WITHOUT the SYN flag set? Which is
what these are...
On Thu, Jun 05, 2003 at 10:02:53PM +0200, Christoph Haas wrote:
So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.
No, it's not at all uncommon to see incoming traffic from well known
ports. It's an easy way to bypass weakly configured firewalls. Snort
can detect such activity. Nmap can generate it using the -g flag.
Here's what the nmap man page has to say about it:
Sets the source port number used in scans. Many naive firewall
and packet filter installations make an exception in their rule-
set to allow DNS (53) or FTP-DATA (20) packets to come through
and establish a connection. Obviously this completely subverts
the security advantages of the firewall since intruders can just
masquerade as FTP or DNS by modifying their source port. Obvi-
ously for a UDP scan you should try 53 first and TCP scans
should try 20 before 53. Note that this is only a request --
nmap will honor it only if and when it is able to. For example,
you can't do TCP ISN sampling all from one host:port to one
host:port, so nmap changes the source port even if you used -g.
I used to see it a bit... Suddenly I'm seeing massive amounts of it...
Are the skiddies getting bored ot what? Or is it just me that's seeing
it? (ON a rather large site I admit. Anyone else on a large site seeing
a large increase in stuff like this?).
I see it all the time.
PS> Chris. Like I said in the first email. It's not real responses,
because in most cases you can see them scanning through ports/addresses
and most of them don't exist...
I ended up writing a script last night to watch the logs & temporarily
block them from ALL traffic to us when I see it... They seem to have
quietened down again now... If I were more paranoid I'd say it was a
geniuine (But reasonably lame) attempted at a DDOS... Hoipefully that's
wrong & they haven't just gone away to regroup & gather more forces...
I don't suffer from Insanity... | Linux User #16396
I enjoy every minute of it... |