Security Incidents mailing list archives

Re: Strange TCP headers

From: Matt Zimmerman <mdz () csh rit edu>
Date: Fri, 10 May 2002 12:17:38 -0400

On Fri, May 10, 2002 at 10:40:19AM -0500, pbsarnac () ThoughtWorks com wrote:

Starting on May 8 and continuing on through today, my firewall has been
picking up malformed TCP packets. The PIX complains about bad header
lengths, but the flag combinations that are showing up are extremely
strange. The source IP addresses are varied, and the destination IPs are
all NAT'd client workstations... not servers. The interesting thing is that
a majority of the scans are originating from port 6346, which snort.org
informs me is the gnutella server port. I've verified that at least two of
the clients that these packets were directed to were running various
file-sharing clients. Is this some sort of new scanning tool that runs over
the Gnutella network? Anyone have any thoughts?

(See attached file: 5-10-02-scans.txt)


I saw a small number of these a couple of days ago, on ports other than the
ones that you saw.  I chalked it up to random data corruption, since it has
not repeated since.

-- 
 - mdz

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange TCP headers pbsarnac (May 10)
- Re: Strange TCP headers Matt Zimmerman (May 10)
- Re: Strange TCP headers Michel Arboi (May 11)
  - RE: Strange TCP headers Benjamin Tomhave (May 11)
- <Possible follow-ups>
- RE: Strange TCP headers Robert Buckley (May 10)
- RE: Strange TCP headers pbsarnac (May 10)
- RE: Strange TCP headers Robert Buckley (May 10)
  - RE: Strange TCP headers Dano (May 11)