Re: Scanning with reverse connections?
On Fri, Jun 06, 2003 at 10:12:05PM +0200, Florian Weimer wrote:
> > But does nmap generate the packets WITHOUT the SYN flag set? Which is
> > what these are...
>
> In this case, it's probably backscatter. Could you tell us a few
> source/destination pairs? I could have a look at our flow database at
> work and look for similar incidents.
I don't see any reason to assume that it's backscatter. Look at the
Null scan mode of nmap. No flags (SYN, ACK, FIN, whatever) are set.
Using that scan mode with a source port of something like 80 is going to
get you through a lot of firewalls out there.
I think it's far more likely that this is what you're seeing, especially
if you're seeing it hit incrementing ports or IP addresses.
noah
--
_______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html
Reply to: