On Fri, Jun 06, 2003 at 10:12:05PM +0200, Florian Weimer wrote: > > But does nmap generate the packets WITHOUT the SYN flag set? Which is > > what these are... > > In this case, it's probably backscatter. Could you tell us a few > source/destination pairs? I could have a look at our flow database at > work and look for similar incidents.
I don't see any reason to assume that it's backscatter. Look at the Null scan mode of nmap. No flags (SYN, ACK, FIN, whatever) are set. Using that scan mode with a source port of something like 80 is going to get you through a lot of firewalls out there. I think it's far more likely that this is what you're seeing, especially if you're seeing it hit incrementing ports or IP addresses. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
