Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
From this article at the nmap site (originally from network-magazine)
The final stage uses SYN packets to probe for initial sequence
numbers. Nmap sends a couple of resets first to the open port, then
sends six packets with just SYN set (the normal method for opening a
TCP connection), followed each time with a reset (a TCP header with
reset and ACK flags set, which aborts the connection). The sequence
numbers in packets sent increase incrementally by one each time; this
is abnormal behavior but is characteristic of sequence number
collectors, such as rbone and the unpublished tool used to take down
security specialist Tsutomo Shimomura's site on Christmas Day, 1994
(see "Source Address Spoofing," May 2000).
Nmap collects the initial sequence numbers received from the target
and looks for a pattern in the way they are incremented. Really old
Unix systems still use a constant increment, while newer and more
secure systems use a random increment. Newer Microsoft stacks use a
time-dependent increment, which might make them vulnerable if they ran
a Unix service such as rlogind (which is not the case).