Hosting Provided By

RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second

From: Hornat, Charles <Charles_Hornat(at)standardandpoors.com>
Date: Fri Dec 27 2002 - 11:57:50 EST

In turn, couldn't this be turned into an attack? A DOS of sorts?

Charles

-----Original Message-----
From: Fyodor [mailto:fyodor@insecure.org] Sent: Tuesday, December 24, 2002 2:18 PM To: alfaentomega
Cc: incidents@securityfocus.com
Subject: Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second

On Mon, Dec 23, 2002 at 09:33:59PM -0800, alfaentomega wrote:

> I found out that by default nmap doesn't scan every

This may be a problem with your Linux kernel. When Nmap (or many other applications, such as Telnet) does a connect() call, the OS is supposed to choose a good souce port to bind to for the connection. When you connect() to a ephemeral port (1024-4999 or so) on localhost, there is a chance that the system will decide to use as a source port the very port you are connecting to. In a bizarre twist, the application then ends up "connecting to itself"! I consider this to be a Linux kernel bug, but my reports to the linux-kernel list (and offers to fix the problem) have been unheeded. Here is my first posting (from 1999):

http://marc.theaimsgroup.com/?l=linux-kernel&m=93598368005241&w=2

So the short summary is that it is just a Linux bug which the developers argue is a feature that they don't intend to fix. I do have a workaround in place for Nmap versions released in the last two or three years -- what version of Nmap are you using and what are the exact command-line arguments?

New versions of the Nmap Security Scanner can be found at http://www.insecure.org/nmap/

Do you need help?

Cheers,
Fyodor

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer.

Thank you,

Standard & Poor's

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Dec 27 13:23:50 2002

This message: [ Message body ]
Next message: Neil Dickey: "Re: NIMDA - ceased ? -"
Maybe in reply to: alfaentomega: "Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
In reply to Charles.Fasching(at)milestonesystems.com: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:55 EDT