Change in recent ssh scanning
This is a discussion on Change in recent ssh scanning within the Linux Security forums, part of the System Security and Security Related category; I've just reviewed some of my recent packet logs, and I notice a change in the recent wave of ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-16-2004
|
|||
|
|||
Change in recent ssh scanning
I've just reviewed some of my recent packet logs, and I notice a change
in the recent wave of ssh scanning. (See http://isc.sans.org/diary.php?date=2004-07-28 for background.) Usually the scanner just tries to connect as a lame generic user and guess the password. Starting about a week or so ago, the packets go like so.... Them:port > Me:ssh - syn (sequence #) Me:ssh > Them:port - syn,ack Them:port > Me:ssh - syn (sequence # + 300) Me:ssh > Them:port - syn,ack Them:port > Me:ssh - ack .... and the rest as usual. "Them" is sending a second syn from the same source port, but with an initial sequence number incremented by 300, and starting the handshake over again. Question: Is there any reason to behave this way? That is, is there some reason (like some vulnerability) to just restart the handshake on the identical connection? (Side issue: It's been a while since I've read RFCs, but I was a little surprised that my server didn't even blink at the oddity. I would expect a rst or something. What's _supposed_ to happen?) I suspect the answer is that the scripter has just introduced a bug into his scanner as he plays with the code to add features. Nevertheless, does anyone know definitively? 
|
Linear Mode
