[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Scanning with reverse connections?

Noah Meyerhans wrote:

On Thu, Jun 05, 2003 at 10:02:53PM +0200, Christoph Haas wrote:
So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.

No, it's not at all uncommon to see incoming traffic from well known
ports.  It's an easy way to bypass weakly configured firewalls.  Snort
can detect such activity.  Nmap can generate it using the -g flag.
Here's what the nmap man page has to say about it:

   -g <portnumber>
         Sets the source port number used in scans.  Many naive  firewall
         and packet filter installations make an exception in their rule-
         set to allow DNS (53) or FTP-DATA (20) packets to  come  through
         and  establish a connection.  Obviously this completely subverts
         the security advantages of the firewall since intruders can just
         masquerade  as FTP or DNS by modifying their source port.  Obvi-
         ously for a UDP scan you should  try  53  first  and  TCP  scans
         should  try  20  before 53.  Note that this is only a request --
         nmap will honor it only if and when it is able to.  For example,
         you  can't  do  TCP  ISN  sampling all from one host:port to one
         host:port, so nmap changes the source port even if you used  -g.
But does nmap generate the packets WITHOUT the SYN flag set? Which is what these are...

I see it all the time.
I used to see it a bit... Suddenly I'm seeing massive amounts of it... Are the skiddies getting bored ot what? Or is it just me that's seeing it? (ON a rather large site I admit. Anyone else on a large site seeing a large increase in stuff like this?).


PS> Chris. Like I said in the first email. It's not real responses, because in most cases you can see them scanning through ports/addresses and most of them don't exist...

I ended up writing a script last night to watch the logs & temporarily block them from ALL traffic to us when I see it... They seem to have quietened down again now... If I were more paranoid I'd say it was a geniuine (But reasonably lame) attempted at a DDOS... Hoipefully that's wrong & they haven't just gone away to regroup & gather more forces...


I don't suffer from Insanity... 	| Linux User #16396
	I enjoy every minute of it...	|
http://www.travellingkiwi.com/		|

Reply to: