Rst attack

Discussion in 'other firewalls' started by discogail, Feb 13, 2003.

Thread Status:
Not open for further replies.
  1. discogail

    discogail Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    151
    First time I've ever seen this logged by my firewall. I'm doing some research now.......thought I'd see if anyone has any insight......
    2/13/03 9:19:57 PM   Rst attack   209.130.101.163 -> 209.130.101.163   
    2/13/03 9:19:40 PM   Port scanned   209.130.101.163   TCP(2805) TCP(2804)
    2/13/03 9:19:40 PM   Connection request   209.130.101.163   TCP(2805)
    2/13/03 9:19:29 PM   Connection request   209.130.101.163 TCP (2804)

    The IP address turns out to be an internet radio station....that I was listening to at the time.
     
  2. WYBaugh

    WYBaugh Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    122
    Location:
    Florida
    Discogail,

    I'm not sure if this will help you but here's a quote from http://online.securityfocus.com/infocus/1580

    SYN scans - Also known as "half-open" scans are one way an attacker can try to enumerate ports on a system in a stealthy manner. These scans only execute the first two steps of the TCP 3-way handshake. The initiating system sends a TCP SYN packets as though it were requesting to open a full connection. The target system responds with a SYN-ACK packet. The initiator then sends a TCP RST (reset) packet back to the target, thereby closing the connection. The idea here is to prevent the full connection from being established since it may possibly be logged.

    Bill
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi discogail

    Is that the only information provided by your logs/firewall for the Rst attack? Anything on source port/destination port? Is this an alert from a IDS?

    If this occurred during and as part of a valid connection, it is likely a false positive.

    Regards,

    CrazyM
     
  4. discogail

    discogail Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    151
    Yeah...CrazyM...from what I've read about this kind of attack .......it's gotta be some kind of misinterpretation. I tried the station again...& got the same result....from Outpost Firewall....the TCP ports shown are the destination ports. Thanks...& thanks, too, WYBaugh.
     
  5. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Occasionally Outpost will interpret a malformed packet as a reset packet and give that entry. It is a false report and should be ignored.
     
  6. discogail

    discogail Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    151
    Thanks.....root ;)
     
Thread Status:
Not open for further replies.