One of our hosted members just approached us with this failure. I am working with a tech at ThePlanet to come up with a response for this one, but it seams that every server that is on a public network is going to get this failure: -------------------------------- Description: TCP reset using approximate sequence number Severity: Potential Problem CVE: CVE-2004-0230 Impact: A remote attacker could cause a denial of service on systems which rely upon persistent TCP connections. Background: The Transmission Control Protocol (TCP) is the protocol used by services such as telnet, ftp, and smtp to establish a connection between a client and a server. Every TCP packet includes a sequence number in the header to ensure that all packets are received at the destination and re-assembled in the correct order. The sequence numbering begins with an initial sequence number which is chosen by the server and sent to the client when the connection is established. Thus, sequence numbers also help to verify the identity of the client, since only the intended client has knowledge of the initial sequence number. The Border Gateway Protocol (BGP) is a TCP protocol used by routers to exchange routing information. It is primarily used by Internet service providers. Resolution To correct this problem on Cisco devices, apply one of the fixes referenced in the Cisco security advisories for [http://www.cisco.com/warp/public/707/ci sco-sa-20040420-tcp-ios.shtml] IOS and [http://www.cisco.com/warp/public/707/ci sco-sa-20040420-tcp-nonios.shtml] non-IOS operating systems. Refer to [US-CERT Vulnerability Note VU#415294 ystems] US-CERT Vulnerability Note VU#415294 and [http://www.uniras.gov.uk/niscc/docs/re- 20040420-00391.pdf?lang=en] NISSC vulnerability advisory 236929 for other vendor fixes. If a fix is not available, this problem can be worked around by using a secure protocol such as [http://rfc.net/rfc2411.html] IPsec, or by filtering incoming connections to services such as BGP which rely on persistent TCP connections at the firewall, such that only allowed addresses may reach them. Vulnerability Details: Service: tcp sent spoofed RST packet, received RST packet -------------------------------- So far, this is the only response I have received from our data center about this one: "his server is on a public network and not behind any dedicated router nor gateway. As it is a public network, it does have BGP traffic passing across the links. Feel free to update if you have other questions." So, what now? No way to ever get past a PCI scan ever again or what?