Security Incidents mailing list archives
Re: fragment attack of some kind ?
From: heiko.degenhardt () SENTEC-ELEKTRONIK DE (Heiko Degenhardt)
Date: Mon, 17 Apr 2000 13:58:34 +0200
Klavs Klavsen wrote:
Dear sirs,
Dear Klavs,
... Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17 216.35.71.246:2000 x.x.x.x:33434 L=64 S=0x00 I=22914 F=0x0000 T=242 (#32) ... Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6 216.35.71.246:2001 x.x.x.x:33434 L=104 S=0x00 I=36448 F=0x0000 T=242 SYN > > > (#24) ... Am I interpreting it correct, when I see the first 3 lines, as packages with length 64 (is that odd ?) and the #32 means that it's suppose to be the 32'st fragment ?
No. For me it looks as if you are using ipchains. Afaik #32 means, that the packet was logged from the 32th rule of your firewall script (you can check that with "ipchains -nvL input | less").
and what does the I stand for ?
Please have a look at the IPCHAINS-Howto: I: IP ID
and the F ?
F: "16-Bit fragment offset plus flags"
the T is the ttl of the package ?
Yes.
And is the second row of packages, the same kind of package as the first one, but with the SYN bit set ?
And the packets come via another protocol. PROTO=17 means udp, PROTO=6 means tcp.
is there anyway that they can be caused by.. something initiated by my > clients ?
I don't know that exactly. As far as I read on http://www.robertgraham.com/pubs/firewall-seen.html#traceroute, packets in the range of 33434-33600/udp may indicate a traceroute (but then you shouldn't see the port 33434 but higher ones). I don't know if versions of traceroute also use tcp. It is also possible, that someone was scanning your host. Rgds. Heiko. ps: Sorry if I am not right with that. I am also quiet new to that security thing...
Current thread:
- NIPC Worm/Virus Alert Elias Levy (Apr 02)
- Smurf/broadcast "pings" Dennis DeDonatis (Apr 05)
- Re: Smurf/broadcast "pings" UnixGeek (Apr 06)
- Another day, another box hacked Jakub Urbanec (Apr 07)
- Lots of scans on port 27063 Erick Perez (Apr 08)
- Re: Lots of scans on port 27063 Blake Frantz (Apr 10)
- Re: Lots of scans on port 27063 James Stevenson (Apr 12)
- Strange & Consistent RST/ACK packets Security Guru (Apr 08)
- fragment attack of some kind ? Klavs Klavsen (Apr 11)
- Re: fragment attack of some kind ? Heiko Degenhardt (Apr 17)
- Re: Strange & Consistent RST/ACK packets Richard Bejtlich (Apr 11)
- Re: Strange & Consistent RST/ACK packets Dave Dittrich (Apr 11)
- Smurf/broadcast "pings" Dennis DeDonatis (Apr 05)