Forum Discussion

mframpton_60606's avatar
mframpton_60606
Icon for Nimbostratus rankNimbostratus
Oct 23, 2008

Unused ports respond to port scan

We're in the process of nailing down open ports on our network. We've found that if we do a port scan on an LTM VIP with a defined port, all the unused ports will responded with an ACK then Reset, wh...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Nov 06, 2008
I'd suggest configuring this in an upstream fiirewall.

 

 

I haven't delved into the RFC's on this, but WinXP and Linux 2.6 both answer with a RST ACK when a client makes a request to a configured IP on a port which isn't in a listening state:

 

 

$ tshark -nr winxp_rst_ack.dmp

 

1 0.000000 1.1.1.1 -> 2.2.2.2 TCP 1262 > 10000 [SYN] Seq=0 Win=64240 Len=0 MSS=1237

 

2 0.000045 2.2.2.2 -> 1.1.1.1 TCP 10000 > 1262 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

 

3 0.569805 1.1.1.1 -> 2.2.2.2 TCP 1262 > 10000 [SYN] Seq=0 Win=64240 Len=0 MSS=1237

 

4 0.569852 2.2.2.2 -> 1.1.1.1 TCP 10000 > 1262 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

 

5 1.174020 1.1.1.1 -> 2.2.2.2 TCP 1262 > 10000 [SYN] Seq=0 Win=64240 Len=0 MSS=1237

 

6 1.174071 2.2.2.2 -> 1.1.1.1 TCP 10000 > 1262 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

 

 

tcpdump -ni eth0 tcp port 10000

 

17:33:48.237046 IP 2.2.2.2.4776 > 3.3.3.3.10000: S 844152135:844152135(0) win 64512

 

17:33:48.237052 IP 3.3.3.3.10000 > 2.2.2.2.4776: R 0:0(0) ack 844152136 win 0

 

17:33:48.597120 IP 2.2.2.2.4776 > 3.3.3.3.10000: S 844152135:844152135(0) win 64512

 

17:33:48.597125 IP 3.3.3.3.10000 > 2.2.2.2.4776: R 0:0(0) ack 1 win 0

 

17:33:49.143940 IP 2.2.2.2.4776 > 3.3.3.3.10000: S 844152135:844152135(0) win 64512

 

17:33:49.143947 IP 3.3.3.3.10000 > 2.2.2.2.4776: R 0:0(0) ack 1 win 0

 

uname -a

 

Linux devserver 2.6.22-14-server 1 SMP Tue Feb 12 08:27:05 UTC 2008 i686 GNU/Linux

 

 

Aaron