[Dshield] Almost funny packets: URG ACK PSH FIN set
todb at planb-security.net
Thu Sep 25 12:59:03 GMT 2003
So, I see these guys once in a while on my network -- I only noticed
them because a slew came through at once, and it tripped an IDS
threshold for OS fingerprinting.
I know this combination isn't illegal; FIN-ACK to gracefully close, PSH
and URG to try to get it done ASAP.
But it happens exceedingly rarely, and these packets almost (but not
quite) always come from the server side. Also, the servers are running
a variety of services (mail, ftp, web) on a variety of platforms
(predominately Winders and Leenucks).
So, my question is, what condition causes this specific flag
combination? My wild guess: the client tries to close (via FIN), the
server responds, and the client never finishes up his end, so the
server gets all panicky and slaps on an URG.
Hmm, come to think of it, I guess I could set up some funny IPTables
rules and test this theory directly...
"It's okay to yell 'fire' in a crowded theater
if the theater is actually on fire."
Tod Beardsley | www.planb-security.net
More information about the list