[Dshield] Interesting scans

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Jul 7 21:35:33 GMT 2008


On Mon, 07 Jul 2008 16:41:57 EDT, Jon Kibler said:

> Can someone please explain how all scans always originate from the same
> port? To me, that is REALLY weird.

I don't know how it works on the Windows side of the fence, but on Unixoid
boxes, my first guess would be that the program does something like this:

fd = socket(..);
while (forever) do {
	fd_new = dup(fd);
	/* use fd_new for the scan */
	close(fd_new);
}

(This is basically the same trick that Apache uses to spawn off a herd of
worker clients all listening on the same port - to make that trick work,
the kernel basically has to assign the local port number at socket creation
time so all copies of the socket's file descriptor get the same port number).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20080707/9e13b896/attachment.bin 


More information about the list mailing list