CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Miscellaneous
TCP Flags: SYN-ACK-URG TCP Header Corrupt TCP Flags: SYN-ACK-URG TCP Header Corrupt
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-09-19
Member
  
Join Date: 2005-08-30
Location: Perth, Australia
Posts: 72
Rep Power: 4
intehnet has an average reputation (10+)
Default TCP Flags: SYN-ACK-URG TCP Header Corrupt
All,

SmartDefense picked up this packet sent into my network. destination was an entire subnet (sent to x.x.x.0), on a TCP high port, with the TCP flags SYN-ACK-URG.
I can't work out if this was a malformed packet or some sort of exploit I haven't heard of before.
IIRC, windows 95 blew chunks when it was sent URG when in a certain state?

It's not urgent obviously, but just curious..
Reply With Quote
  #2 (permalink)  
Old 2005-09-21
Junior Member
  
Join Date: 2005-09-06
Location: Singapore
Posts: 16
Rep Power: 0
srikrishnak has an average reputation (10+)
Default Re: TCP Flags: SYN-ACK-URG TCP Header Corrupt
The Urgent Pointer is used when some information has to reach the server ASAP. When the TCP/IP stack at the other end sees a packet using the Urgent Pointer, it is duty bound to stop all it's doing and immediately send this packet to the relevant server. Since the packet is plucked out of the processing queue and acted upon immediately, it is known as an Out Of Band (OOB) packet and the data is called Out Of Band (OOB) data. The Urgent Pointer is usually used in Telnet, where an immediate response (e.g. the echoing of characters) is desirable.
May be FW-1 sees it as some attack ;)
Reply With Quote
  #3 (permalink)  
Old 2005-09-22
Member
  
Join Date: 2005-08-30
Location: Perth, Australia
Posts: 72
Rep Power: 4
intehnet has an average reputation (10+)
Default Re: TCP Flags: SYN-ACK-URG TCP Header Corrupt
thanks, it's a corrupt header, just happens to have URG in it.
Sounds dodgey to me, it's coming from one IP to an entire subnet.
Reply With Quote
  #4 (permalink)  
Old 2005-09-22
Junior Member
  
Join Date: 2005-09-06
Location: Singapore
Posts: 16
Rep Power: 0
srikrishnak has an average reputation (10+)
Default Re: TCP Flags: SYN-ACK-URG TCP Header Corrupt
Happens some times..whatever the reason may be..weather an application error or a program issue..Even a BAD NIC card could be the culprit.
Reply With Quote
  #5 (permalink)  
Old 2005-09-26
Junior Member
  
Join Date: 2005-09-26
Posts: 2
Rep Power: 0
wancom has an average reputation (10+)
Default Re: TCP Flags: SYN-ACK-URG TCP Header Corrupt
I see this same behavior from 61.133.3.47 to a couple of our networks. The traffic is always to a.b.c.0. This has been going on for over a week now. I cant find any mention of an exploit - or any advisories - however that source address is being reported pretty frequently at dshield.org
Reply With Quote
  #6 (permalink)  
Old 2005-09-26
Member
  
Join Date: 2005-08-30
Location: Perth, Australia
Posts: 72
Rep Power: 4
intehnet has an average reputation (10+)
Default Re: TCP Flags: SYN-ACK-URG TCP Header Corrupt
wancom, that's the same IP i'm getting the traffic from!!

how odd!
Reply With Quote
  #7 (permalink)  
Old 2005-09-28
Member
  
Join Date: 2005-08-15
Posts: 36
Rep Power: 0
flawless_cowboy has an average reputation (10+)
Default Re: TCP Flags: SYN-ACK-URG TCP Header Corrupt
oddly enough, i see the same thing from the same IP.
Reply With Quote
  #8 (permalink)  
Old 2005-10-03
Member
  
Join Date: 2005-08-30
Location: Perth, Australia
Posts: 72
Rep Power: 4
intehnet has an average reputation (10+)
Default Re: TCP Flags: SYN-ACK-URG TCP Header Corrupt
it has a webserver open, in chinese i think..
Reply With Quote
  #9 (permalink)  
Old 2005-10-03
Junior Member
  
Join Date: 2005-10-03
Posts: 1
Rep Power: 0
rcarlin has an average reputation (10+)
Default Re: TCP Flags: SYN-ACK-URG TCP Header Corrupt
I'm picking up the same thing here on our network. The source has been constant from 61.133.3.47. WHOIS shows that to be a Chinese newspaper network. I noticed it today and found that it started on the 19th.

The source port appears to be 80/tcp with random destination ports. The rate is also 1-3 per hour.
Reply With Quote
  #10 (permalink)  
Old 2005-10-07
Member
  
Join Date: 2005-08-30
Location: Perth, Australia
Posts: 72
Rep Power: 4
intehnet has an average reputation (10+)
Default Re: TCP Flags: SYN-ACK-URG TCP Header Corrupt
i've blocked this IP from my network, even though it's packets were being dropped anyway.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 20:28.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0