On Thu, 16 May 1996, Henri Karrenbeld wrote: > I am afraid I do not read other security lists besides this one (I glance at > Linux-alert and Linux-security occasionally when linux.dev.* mentions something)And of course stuff like cert-advisory, but in none of these have I seen > what actually can be done with SYN packets... Could someone explain this? Services can be probed for. Let's take 2 short examples: Attacker sends a syn packet to port 23 (telnet) There is no server on that port, so the server sends back a rst|syn sequence (acknowledging the syn, and tearing down the connection). In this case, nothing was listening, no logs will generally be generated. Now, an attacker does the same thing, but to say port 25 (smtp) There is a server on this port, the server sends back a ack|syn sequence The bad guy now knows there is something on the port, but because the three way handshake has not been completed it is not logged, the bad guy can then send a rst tearing down the connection, since he has the information he is after. I think some time ago a detailed post was made to this list describing the various ways a stealth scanner could be implemented, although i'm not 100% sure. Brian Mitchell brian@saturn.net World Wide Web http://www.saturn.net/~brian "I never give them hell. I just tell the truth and they think it's hell" - H. Truman