From: Golden_Eternity [bhodi@bigfoot.com]
Sent: Saturday, May 26, 2001 1:20 AM
To: 'INCIDENTS (E-mail)'
Subject: RE: SYN/ACK to port 53

> -----Original Message-----
> From: Ryan Russell [mailto:ryan@securityfocus.com]
> Sent: Thursday, May 24, 2001 12:37 PM
> 
> On Thu, 24 May 2001, DeCamp, Paul wrote:
> 
> > A SYN/ACK packet is sent to TCP port 53.  No SYN was sent from our system.
> > The SYN & ACK sequence numbers appear to be random, but the ACK is always 1
> > less than the SYN.  Our system responds with a RST to the ACK.
> 
> Exactly what you would expect to see if someone sent them a spoofed packet
> claiming to be from your IP address, source port 53.  What are the other
> port numbers?
> 
> Now why someone would do that, I can't say.  There are some passive
> fingerprinting techniques this might apply for..
> 
> 					Ryan
> 

This SYN/ACK packet reminded me of a thread from about two weeks ago, "DNS ports 
and scans" which included discussion of filtering TCP requests to 53. One suggestion 
was to filter inbound connections without the ACK bit set.

If both a normal SYN packet and a spoofed SYN/ACK packet were sent, and the response 
compared an attacker might be able to determine if there were a server listening on 
the port (but filters were in place) versus nothing listening at all. For example, 
if the SYN/ACK received an RST, but the SYN returned no response, that could suggest 
that there is/was/will be something on that port. Its not conclusive, but a decent 
foundation for a "best guess" kind of thing.

I don't know if any scanners like this currently exist (its probably hidden in nmap 
somewhere), but it seems interesting.