First time I've ever seen this logged by my firewall. I'm doing some research now.......thought I'd see if anyone has any insight...... 2/13/03 9:19:57 PM Rst attack 209.130.101.163 -> 209.130.101.163 2/13/03 9:19:40 PM Port scanned 209.130.101.163 TCP(2805) TCP(2804) 2/13/03 9:19:40 PM Connection request 209.130.101.163 TCP(2805) 2/13/03 9:19:29 PM Connection request 209.130.101.163 TCP (2804) The IP address turns out to be an internet radio station....that I was listening to at the time.
Discogail, I'm not sure if this will help you but here's a quote from http://online.securityfocus.com/infocus/1580 SYN scans - Also known as "half-open" scans are one way an attacker can try to enumerate ports on a system in a stealthy manner. These scans only execute the first two steps of the TCP 3-way handshake. The initiating system sends a TCP SYN packets as though it were requesting to open a full connection. The target system responds with a SYN-ACK packet. The initiator then sends a TCP RST (reset) packet back to the target, thereby closing the connection. The idea here is to prevent the full connection from being established since it may possibly be logged. Bill
Hi discogail Is that the only information provided by your logs/firewall for the Rst attack? Anything on source port/destination port? Is this an alert from a IDS? If this occurred during and as part of a valid connection, it is likely a false positive. Regards, CrazyM
Yeah...CrazyM...from what I've read about this kind of attack .......it's gotta be some kind of misinterpretation. I tried the station again...& got the same result....from Outpost Firewall....the TCP ports shown are the destination ports. Thanks...& thanks, too, WYBaugh.
Occasionally Outpost will interpret a malformed packet as a reset packet and give that entry. It is a false report and should be ignored.