openssh vulnerability WITH TCP DUMP!

Darren Tucker dtucker at
Fri Nov 4 23:51:29 EST 2005

On Fri, Nov 04, 2005 at 11:18:59PM +1100, Darren Tucker wrote:
> [...] it looks like the ssh connection was being
> dropped immediately after establishment (such as would be expected if,
> eg, you are using tcpwrappers).

Damien's explanation of this as nmap-like half-open scanning is much
better than the one above (for one thing, a connection dropped by
tcpwrappers should have the entire 3way tcp handshake).

BTW I've decoded all of the first 2 packets: they're pretty vanilla TCP
syn/synack packets to/from port 22 with tcp options (MSS=1460 and "SACK
permitted").  Nothing of interest.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list