Ftr I would expect to see other packets inbound if someone were attempting to map a firewall; otherwise you wouldn't know if there was a firewall even in place.
Moreover is there even a firewall out there that doesn't track state anymore? I'm sure there is but this is likely to be akin to hoping firewalls wont deal with fragments properly and similar...that doesn't stop someone from downloading unmapped reading the manpage and trying it though. The ports in question are probably important; as pointed out, the source port may help you confirm that they're trying to evade a firewall from the 90s; destination port will give you an idea of what they were after. If there was a spoofed syn and his boxes were sending syn tacks to the spoofed address..he would be seeing the synergies too. Whomever said the bit about checking for a stateful firewall is probably right; the lack of other types of flags would tell me either they're using different source Ip or more likely that they're just running some tool without knowing what they're doing/why they're doing it; they just read some old text that said it bypasses firewalls. On Wednesday, September 25, 2013, <[email protected]> wrote: > > > On 09/24/2013 at 10:29 PM, "Crist Clark" <[email protected]> wrote: > > Backscatter. Someone may be sending out spoofed SYNs. The target sends SYN-ACKs to the spoofed source, you. What's the source port? A well known service? Do the source addresses really have reachable services on those ports? > > On Sep 24, 2013 7:25 AM, <[email protected]> wrote: >> >> Can someone explain the point of a SYN ACK scan to random high ports? I usually see a fair amount of these...at first I thought it was maybe a block to an initiating SYN packet, but I don't see any evidence that the SYN ACK isn't the first packet seen. Danke. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > That's a great point Crist I had not thought about that...thanks for the insight. >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
