Security Incidents mailing list archives

Incident with ports: 4 and 8

From: KDURAN () PN USBR GOV (Kenneth Duran)
Date: Tue, 15 Feb 2000 07:34:43 -0700


Greetings for the Cold Northwest,

I think what I have is a mis-configured link to an authorized web page.  The link is from a UUNet site to one of my web 
servers behind a SonicWall F/W.  The foreign Page is of M$ FrontPage construction and when the 'action' (I call it this 
because of a lack of another word) occurs packets are sent to port 4 (IP encapsulation) and port 8 (EGP - Gateway 
Protocol).  According to the log files and the captures it is started when the link is opened and lasts for the 
duration of the connection.  This only started after 1645 on 11 Feb 2000.  The F/W logged it as a Ping of Death attack. 
 For some reason I do not believe this conclusion.  Any other possibilities?

I do not have the logs at this time but I can get excerpts if needed to complete the investigation.  And we have been 
in contact with the foreign site to perform some checking at their end.

Kenneth M. Duran
PN Network Security Manager
kduran () pn usbr gov
(208)-378-5146

Current thread:

DDoS intranet (Feb 09)
- <Possible follow-ups>
- ddos Daniel Avila (Feb 14)
  - Re: ddos Ron Gula (Feb 15)
  - Incident with ports: 4 and 8 Kenneth Duran (Feb 15)
- Re: ddos Miller, Toby (Feb 16)
  - Re: ddos David Brumley (Feb 17)
- Re: ddos Miller, Toby (Feb 17)