[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sheflug] Wierd packets etc.

To: "Sheflug" <sheflug [at] vuw.ac.nz>
Subject: [Sheflug] Wierd packets etc.
From: "Stephen J. Turnbull" <nospam [at] sk.tsukuba.ac.jp>
Date: Thu, 1 Jun 2000 12:18:05 +0900 (JST)
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: sheflug-bounce [at] vuw.ac.nz

>>>>> "Barrie" == Barrie Bremner <TheEnglishman [at] ecosse.net> writes:

    Barrie>  Anyone got any idea exactly what the packet that this
    Barrie> Korea geezer was throwing at me was meant to achieve?

See RFC 793 and RFC 1122 for more info. 

    Barrie> May 16 02:12:13 localhost portsentry[672]: attackalert:
    Barrie> Unknown Type: Packet Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0
    Barrie> URG: 0 RST: 0

Well, the flags are quite strange; SYN means "Please open a connection
to me", while FIN means "I'm not sending any more data."  According to
the flow chart in RFC 793, it's quite possible that the TCP/IP stack
will ignore this, leaving the connection in a partially opened state
for a while, ignoring the FIN.

So this is definitely a broken packet; probably the TCP should take no
action (or report it as an error).  But an incautious implementation
might send an ACK, letting the attacker know there is a broken TCP
implementation at the other end.

    Barrie> from host: rrlab7.kaist.ac.kr/143.248.151.179 to TCP port: 109

109 is POP2.

My guess is that the remote host is probing for a known security hole
in POP2, but doesn't know what he's doing.

    Barrie> And how/why am I being scanned by something/one
    Barrie> else...I`ve got dynamic IP address...not like I`m in any
    Barrie> one `place`, so to speak for very long at one time.

Generally attackers scan whole networks, not single hosts.  If he
wants to do, say, spam _now_, he doesn't care if you'll be there in a
week as long as you're willing to provide the open relay for the next
few minutes.

    Barrie> May 30 21:57:32 localhost portsentry[672]: attackalert:
    Barrie> SYN/Normal scan from host: 195.76.27.44/195.76.27.44 to
    Barrie> TCP port: 53

This is the DNS.  Coming from Barcelona, you know anyone there?
(whois -h whois.arin.net 195.76.27.44 for more info.)

    Barrie>  I assume there isn`t much else I can do, but sit and
    Barrie> laugh at these log entries is there?

Well, you can block connection attempts to ports you don't want anyone
talking to using IPchains.  Then the port monitors would never see the
packets.


-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

References:
- [Sheflug] Wierd packets etc.
  - From: Barrie Bremner <TheEnglishman [at] ecosse.net>

Prev by Date: Re: [Sheflug] How to redirect root`s mail.
Next by Date: Re: [Sheflug] mon
Prev by thread: [Sheflug] Wierd packets etc.
Next by thread: Re: [Sheflug] mon
Index(es):
- Date
- Thread