Security Incidents mailing list archives
Incident with ports: 4 and 8
From: KDURAN () PN USBR GOV (Kenneth Duran)
Date: Tue, 15 Feb 2000 07:34:43 -0700
Greetings for the Cold Northwest, I think what I have is a mis-configured link to an authorized web page. The link is from a UUNet site to one of my web servers behind a SonicWall F/W. The foreign Page is of M$ FrontPage construction and when the 'action' (I call it this because of a lack of another word) occurs packets are sent to port 4 (IP encapsulation) and port 8 (EGP - Gateway Protocol). According to the log files and the captures it is started when the link is opened and lasts for the duration of the connection. This only started after 1645 on 11 Feb 2000. The F/W logged it as a Ping of Death attack. For some reason I do not believe this conclusion. Any other possibilities? I do not have the logs at this time but I can get excerpts if needed to complete the investigation. And we have been in contact with the foreign site to perform some checking at their end. Kenneth M. Duran PN Network Security Manager kduran () pn usbr gov (208)-378-5146