[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Scanning with reverse connections?

On Fri, Jun 06, 2003 at 10:12:05PM +0200, Florian Weimer wrote:
> > But does nmap generate the packets WITHOUT the SYN flag set? Which is
> > what these are...
> 
> In this case, it's probably backscatter.  Could you tell us a few
> source/destination pairs?  I could have a look at our flow database at
> work and look for similar incidents.

I don't see any reason to assume that it's backscatter.  Look at the
Null scan mode of nmap.  No flags (SYN, ACK, FIN, whatever) are set.
Using that scan mode with a source port of something like 80 is going to
get you through a lot of firewalls out there.

I think it's far more likely that this is what you're seeing, especially
if you're seeing it hit incrementing ports or IP addresses.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html
Reply to: