TCP ACK ping
advICE :Intrusions : 2000310

Summary

If the "intruder" is not somebody you've contacted before, then this indicates somebody attempting a "stealth" scan against your machine. However, if it is somebody you know, then it may simply be an anomaly caused by traffic congestion.

Details

Firewalls can block incoming connections by blocking only the first few frames of a connection. Hackers can therefore "pierce" firewalls by crafting what appear to be responses. Since the firewall believes these to be legitimate responses, they forward them on through.

This technique cannot be used to compromise the target system, but it can be used to scan the system. If the target of this hacker scan is able to process the indicated traffic, it will send a message back to the hacker. The intent is to inform the sender of a communications error. However, it really informs the hacker that there is something there that they could potentially hack. The hacker's next steps are to find ways to get around the firewall in order to reach this target.

False Positives

We are seeing that sometimes websites produce this error when there is network congestion. The anomaly triggers the product into thinking that something unusual is happening. We believe this false positive has been eliminated in version 1.9 of the product.

parametric information port The TCP destination port flags The TCP flags from the offending frame. The flags are: S (SYN), F (FIN), R (RESET), P (PUSH), A (ACK), U (URGENT), 4 (low-order unused bit), 8 (high-order unused bit) options The TCP options from the offending frame. The options are displayed as "option-value", separated by commas. No-ops are not displayed

 
Version appeared: 1.8.6