[unisog] fin-no-ack scans

Fred Portnoy fportnoy at mail.plymouth.edu
Wed Apr 14 15:15:53 GMT 2004


Our ResNet/Helpdesk team has been working on this; early finding point to
something called "Poisoned" for mac OSX. Anyone know more about this? More
info at:

http://www.versiontracker.com/dyn/moreinfo/macosx/20289

-fp
-----Original Message-----
From: Fred Portnoy [mailto:fportnoy at mail.plymouth.edu] 
Sent: Sunday, April 04, 2004 12:50 PM
To: 'John Kristoff'
Cc: unisog at sans.org; packeteer-edu at lists.stanford.edu
Subject: RE: [unisog] fin-no-ack scans


I found upon Sniffer inspection that when some hosts send a SYN to a
particular address, which is not answered even after half a dozen or so
retransmissions, then they'll send a FIN without an ACK. I don't know what
application it is that's doing it, but the FIN packets are getting flagged
by Snort and getting stopped at my firewall. More troubling is that I think
the Packeteer might be counting the SYN attempts as flows, and running out
of system resources.

-fp




More information about the unisog mailing list