Re: packet too large and/or Ping Of Death ???

[Mikael Olsson <mikael.olsson () enternet se>]

I'm seeing this often in firewall logs. Most likely, you've been buying
really cheap network cards. It seems that a LOT of the il-cheapo NE2000 
clones have the same problem: shifting data 2 bytes in some direction.

The thing is, you only get to see these things in logs if your equipment
is capable of logging packets with bad checksums rather than throwing
them away silently. (Yes, the checksums end up looking all screwy when 
bytes get shifted around in the packet).

And no, the problem is not just IP, they screw all kinds of packets up,
I'm seeing this done to f.i. ARP aswell.

Regards,
Mikael Olsson

Drexx Laggui wrote:
> I'm sorry for the re-send, my e-mail got screwed up, but I really value your
> input...
>
> Drexx.
>
> ==================================================
> Nov. 3, 1999
>
> Hello world,
>
> I need your collective experience/brain power to shed some light on what's
> filling up my FireWall-1 logs and alarming also RealSecure...
>
> I have a FireWall-1 controlling access to internal VLANs across Cabletron
> switches. The RealSecure v3.0.2 constantly alerts with a Ping Of Death attack,
> while the FireWall-1 reports that the packets are too large, with an IP Protocol
> number of zero.
>
> It maybe coincidental fact, but the internal networks are of IP address a.b.y.z,
> yet the source/destination of the attacks reported are of y.z.a.b .
> The weird thing is that I think that the Cabletron maybe mangling the packets
> or something, therefore creating a lot of false positives on the RealSecure.
>
> Any idea what is really happening? Thanks in advance,
>
> Drexx Laggui.

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se