|
It's a weird one for sure. It's a new TCP SYN packet in between each interval. I would say it's a whole new connection but every sequence number and source port is the same which is common with poorly / lazily coded scanning scripts yet they set an MSS of 1400 but then lacks SackOK. EDIT: Turns out NMAP also lacks SackOK eth0 In IP (tos 0x0, ttl 3, id 0, offset 0, flags [none], proto TCP (6), length 44)
209.141.62.239.37300 > [redacted].53: Flags [S], cksum 0x003c (incorrect -> 0xe3dd), seq 3632312462, win 65535, options [mss 1400], length 0
eth0 In IP (tos 0x0, ttl 2, id 0, offset 0, flags [none], proto TCP (6), length 44)
209.141.62.239.37300 > [redacted].53: Flags [S], cksum 0x003c (incorrect -> 0xe3dd), seq 3632312462, win 65535, options [mss 1400], length 0
eth0 In IP (tos 0x0, ttl 1, id 0, offset 0, flags [none], proto TCP (6), length 44)
209.141.62.239.37300 > [redacted].53: Flags [S], cksum 0x003c (incorrect -> 0xe3dd), seq 3632312462, win 65535, options [mss 1400], length 0
I've enabled logging of invalid packets. Hopefully they will try again. |