[Dshield] Almost funny packets: URG ACK PSH FIN set

Tod Beardsley todb at planb-security.net
Thu Sep 25 12:59:03 GMT 2003


Hi all.

So, I see these guys once in a while on my network -- I only noticed 
them because a slew came through at once, and it tripped an IDS 
threshold for OS fingerprinting.

I know this combination isn't illegal; FIN-ACK to gracefully close, PSH 
and URG to try to get it done ASAP.

But it happens exceedingly rarely, and these packets almost (but not 
quite) always come from the server side. Also, the servers are running 
a variety of services (mail, ftp, web) on a variety of platforms 
(predominately Winders and Leenucks).

So, my question is, what condition causes this specific flag 
combination? My wild guess: the client tries to close (via FIN), the 
server responds, and the client never finishes up his end, so the 
server gets all panicky and slaps on an URG. 

Hmm, come to think of it, I guess I could set up some funny IPTables 
rules and test this theory directly...

-- 
"It's okay to yell 'fire' in a crowded theater
if the theater is actually on fire."
Tod Beardsley | www.planb-security.net




More information about the list mailing list