nmap shows random open ports on localhost for a fraction of a second

Question

When I scan myself I will often see random open ports:

nmap -sT -T normal -p 1-65535 localhost

E.g.

43194/tcp open  unknown         


        

Answer 1

Yes, this is a known issue with Linux: a connection to localhost on a closed ephemeral port has a small chance (usually about 1 in 28000) of connecting to itself with a 4-way or "split" handshake. Nmap suffers the most from this bug, since it connects to so many different ports at once that the chances amount to a near-certainty of happening at least once in a localhost -sT (TCP Connect) scan.

Nmap has a long history with this bug. In 1999, Fyodor reported it to the LKML, but it was deemed to be an edge case in the RFC, and not a bug in the Linux kernel. A workaround was put in place in 2000, but it was removed in February 2013 as part of a cleanup effort, since it had a race condition. The next release was Nmap 6.40, which you say shows the invalid results.

Last summer, I introduced a change to check for and re-test these spurious results. The next release of Nmap will not have the same problem.

---

EDIT: The bug affected versions 6.40 - 6.47. It was fixed in 6.49BETA1 (2015-06-03).