Security Incidents mailing list archives
Re: unknown IP packets
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Tue, 15 Feb 2000 12:38:19 -0800
This is a problem on some local device either corrupting packets or not interpretting them correctly. The IP addresses are actually raw bytes from the IP header shifted down by 5 bytes. Column#1: The first zero is actually part of the "fragment offset" field. Column#2: The "64" in the next column represents the TTL of outgoing frames from UNIX machines on your network (Windows uses TTL of 128), the value "45" indicates a response from a machine 19 hops away, the value 52 indicates a response from a machine 12 hops away. The fact that you have what appears to be request/response pairs indicates to me that the packets are going out legally, but that your iplog program is misinterpretting them. Column#3: The protocol field: 6=TCP, 17=UDP Column#4: first byte of the checksum field. Notice how the multiple packets have the same first byte from the checksum, which might indicate a physical layer problem because the same packet might be transmitted over and over. Or, it could be just that the "identification" field is monotonically increasing (which again means you don't have a Windows machine generating these packets). You can read more on the IP header at: http://www.robertgraham.com/pubs/hacking-dict.html#ip-header To solve the problem, just put a packet sniffer on the wire (like 'tcpdump'): http://www.robertgraham.com/pubs/sniffing-faq.html -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Mark Shirley Sent: Monday, February 14, 2000 9:53 AM To: INCIDENTS () securityfocus com Subject: unknown IP packets i usually don't post unusual logs here but this struck my eye. i have never seen this before. Feb 14 12:47:20 cyberfrg iplog[90430]: Warning: Short IP packet received from 0.64.6.57 Feb 14 12:47:21 cyberfrg iplog[90430]: Warning: Short IP packet received from 0.45.6.160 Feb 14 12:47:21 cyberfrg iplog[90430]: Warning: Short IP packet received from 0.64.17.26 Feb 14 12:47:21 cyberfrg iplog[90430]: Warning: Short IP packet received from 0.52.17.241 Feb 14 12:47:21 cyberfrg iplog[90430]: Warning: Short IP packet received from 0.64.17.26 Feb 14 12:47:21 cyberfrg iplog[90430]: Warning: Short IP packet received from 0.52.17.241 Feb 14 12:47:23 cyberfrg iplog[90430]: Warning: Short IP packet received from 0.54.6.210 Feb 14 12:47:23 cyberfrg iplog[90430]: Warning: Short IP packet received from 0.64.6.181 it seems that i am getting flooded with them. thousands upon thousands.
Current thread:
- unknown IP packets Mark Shirley (Feb 14)
- Strange IP_MASQ Log.. thegreencow (Feb 14)
- Re: unknown IP packets Mark Shirley (Feb 15)
- Re: unknown IP packets Robert Graham (Feb 15)