[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] attackalert Unknown Type
- Subject: Re: [cobalt-security] attackalert Unknown Type
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Jan 2002 23:03:16 +0000 (GMT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Date: Thu, 24 Jan 2002 23:40:23 +0100
> From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
> > Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0
>
> What is unusual here is that both the ACK and the FIN flags
> were set. This never happens during a regular TCP/IP
> connection.
Almost; never say "never". :-)
Check out RFC 1644 for info on T/TCP.
> So someone was most likely sending manually crafted packets
> your way, or using some kind of security auditing tool.
Perhaps, but see my previous post. I don't know if ESRO actually
uses T/TCP or how common it is... it may well have been a valid,
yet misdirected, packet. If it's the only one, I'd lean
toward it being legit.
But excessive concern _is_ safer than insufficient concern. :-)
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots. Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.