Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

fragment attack of some kind ?

From: ktk () BERLINGSKE-ONLINE DK (Klavs Klavsen)
Date: Tue, 11 Apr 2000 08:38:12 +0100

Dear sirs,

I've encountered the following in a Linux firewall..
(and I would be greatful if you would shed some light on it for me..)

Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17
216.35.71.246:2000 x.x.x.x:33434 L=64 S=0x00 I=22914 F=0x0000 T=242 (#32)
Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17
216.35.71.246:2001 x.x.x.x:33434 L=64 S=0x00 I=22916 F=0x0000 T=242 (#32)
Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17
216.35.71.246:2002 x.x.x.x:33434 L=64 S=0x00 I=22918 F=0x0000 T=242 (#32)
Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6

216.35.71.246:2000 x.x.x.x:33434 L=104 S=0x00 I=35096 F=0x0000 T=242 SYN (#24)
Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6
216.35.71.246:2001 x.x.x.x:33434 L=104 S=0x00 I=36448 F=0x0000 T=242 SYN (#24)
Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6
216.35.71.246:2002 x.x.x.x:33434 L=104 S=0x00 I=44944 F=0x0000 T=242 SYN (#24)

Am I interpreting it correct, when I see the first 3 lines, as packages with
length 64 (is that odd ?) and the #32 means that it's suppose to be the 32'st
fragment ? and what does the I stand for ? and the F ? the T is the ttl of the
package ?

And is the second row of packages, the same kind of package as the first one,
but with the SYN bit set ?

And at last, my final question.. This firewall is also masquarading for a lot of
clients.. both linux and winblows.. and I get a lot of these "funny" packages...
is there anyway that they can be caused by.. something initiated by my clients ?

Best regards,

Klavs Klavsen
Denmark
Previous By Date Next
Previous By Thread Next

Current thread: