What is going on here?

Can anyone explain what exactly is going on here:

Date/Time :2007-10-03 14:40:39
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Invalid Flag Combination)
Direction: TCP Incoming
Source: 194.XXX.XXX.XXX:49207
Destination: 192.XXX.X.XX:55686
Reason: SYN FIN RST PSH URG CWR is an invalid TCP flag combination

How dangerous is this?

Both source and destination are private IP addresses, so there’s no cause for concern.

The source address (194.xxx.xxx.xxx) doesn’t appear to be a “private ip address”.

I tend sometimes to be a bit the tinfoil-hat paranoid, from the dayjob perspective. Take this with a very large helping of salt.

If your destination address is 192.168.x.x, then it’s private address, which is typically the case if you’re behind a router. Otherwise you’re a live address on the Internet.

What is it: It’s a TCP packet with all the flags set. That will never happen with a proper TCP stack. It takes either a horrible misconfiguration, a compromised sender host, or a scanner like nmap.

If you are behind a router, then there are two questions that come to mind:

One, is why didn’t the router recognize an invalid TCP packet and block it? Bug, design “feature”, or something, let it thru. Either a firmware upgrade may be in order, or just be aware that the router has a limitation, and set your defenses accordingly.

Two, how did it get past the router doing NAT with stateful packet inspection? That would seem to imply that the packet was in response to whatever you were doing. In that case, this isn’t a scan, but something that you tripped over while surfing the 'Net. That would increase the likelihood of the sender being a compromised host. Worst case would be an MPack server.

If you’re not behind a router, then your CFP is facing the Internet directly, and has done it’s job properly. If you weren’t doing any surfing at that moment, then most likely some script kiddie with an nmap-like scanner was playing with parameter settings. If you were surfing along, then question two above is relevant.

Probably wouldn’t hurt to do a HiJackThis scan, just to eyeball for yourself for anything unrecognizable.