Security Incidents mailing list archives

Re: unknown IP packets

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Tue, 15 Feb 2000 12:38:19 -0800


This is a problem on some local device either corrupting packets or not
interpretting them correctly. The IP addresses are actually raw bytes from
the IP header shifted down by 5 bytes.

Column#1:
The first zero is actually part of the "fragment offset" field.

Column#2:
The "64" in the next column represents the TTL of outgoing frames from UNIX
machines on your network (Windows uses TTL of 128), the value "45" indicates
a response from a machine 19 hops away, the value 52 indicates a response
from a machine 12 hops away. The fact that you have what appears to be
request/response pairs indicates to me that the packets are going out
legally, but that your iplog program is misinterpretting them.

Column#3: The protocol field: 6=TCP, 17=UDP

Column#4: first byte of the checksum field. Notice how the multiple packets
have the same first byte from the checksum, which might indicate a physical
layer problem because the same packet might be transmitted over and over.
Or, it could be just that the "identification" field is monotonically
increasing (which again means you don't have a Windows machine generating
these packets).

You can read more on the IP header at:
http://www.robertgraham.com/pubs/hacking-dict.html#ip-header

To solve the problem, just put a packet sniffer on the wire (like
'tcpdump'):
http://www.robertgraham.com/pubs/sniffing-faq.html

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Mark Shirley
Sent: Monday, February 14, 2000 9:53 AM
To: INCIDENTS () securityfocus com
Subject: unknown IP packets

i usually don't post unusual logs here but this struck my eye.  i have never
seen this before.

Feb 14 12:47:20 cyberfrg iplog[90430]: Warning: Short IP packet received
from 0.64.6.57
Feb 14 12:47:21 cyberfrg iplog[90430]: Warning: Short IP packet received
from 0.45.6.160
Feb 14 12:47:21 cyberfrg iplog[90430]: Warning: Short IP packet received
from 0.64.17.26
Feb 14 12:47:21 cyberfrg iplog[90430]: Warning: Short IP packet received
from 0.52.17.241
Feb 14 12:47:21 cyberfrg iplog[90430]: Warning: Short IP packet received
from 0.64.17.26
Feb 14 12:47:21 cyberfrg iplog[90430]: Warning: Short IP packet received
from 0.52.17.241
Feb 14 12:47:23 cyberfrg iplog[90430]: Warning: Short IP packet received
from 0.54.6.210
Feb 14 12:47:23 cyberfrg iplog[90430]: Warning: Short IP packet received
from 0.64.6.181

it seems that i am getting flooded with them.  thousands upon thousands.

Current thread:

unknown IP packets Mark Shirley (Feb 14)
- Strange IP_MASQ Log.. thegreencow (Feb 14)
- Re: unknown IP packets Mark Shirley (Feb 15)
- Re: unknown IP packets Robert Graham (Feb 15)