Security Incidents mailing list archives

TCP/IP options flags?

From: Mbeck () GIANTSTEP COM (Matt Beck)
Date: Tue, 16 May 2000 17:53:05 -0500


I'm seeing lots of packets denied at my firewall with the IP options flag
set.  The firewall logs the flag set as HEX 0x14.  I cannot convert this to
any of the standard TCP/IP options such as loose or strict source routing.
My first thought was that maybe machines were somehow misconfigured and I
need not worry about it.  But for grins I looked up all the addresses and
noticed a disturbing pattern.  During just the last 5 days I've received
these packets from the addresses below.  They are mostly .edu domains and
what appear to be cable-modem users.

So I began searching for tools or scanners that would set IP options flags
as part of their work.  I have had no luck finding such tools.  Can anyone
comment on why these packets would be arriving at my firewall and whether or
not I should be worried about them?  I'm attempting to capture these packets
for deeper analysis.

Any help you can offer would be greatly appreciated.  Thanks.

Deny IP from 128.59.139.23 to X.X.X.X, IP options: 0x14""
chemstore05.chem.columbia.edu
Deny IP from 128.6.135.7 to X.X.X.X, IP options: 0x14"" antonio.rutgers.edu
Deny IP from 129.174.186.20 to X.X.X.242, IP options: 0x14""
99F1443.dorm.gmu.edu
Deny IP from 136.165.132.243 to X.X.X.201, IP options: 0x14""
dhcp04.hsc-b.louisville.edu
Deny IP from 204.210.205.115 to X.X.X.71, IP options: 0x14""
c21b115.neo.rr.com
Deny IP from 216.233.75.58 to X.X.X.103, IP options: 0x14""
node-d8e94b3a.powerinter.net
Deny IP from 24.142.55.37 to X.X.X.28, IP options: 0x14""
cm-24-142-55-37.cableco-op.ispchannel.com
Deny IP from 24.24.37.4 to X.X.X.201, IP options: 0x14""
d18182504.rochester.rr.com
Deny IP from 24.24.47.133 to X.X.X.121, IP options: 0x14""
d18182f85.rochester.rr.com
Deny IP from 24.29.235.217 to X.X.X.201, IP options: 0x14""
ro02-24-29-235-217.ce.mediaone.net
Deny IP from 24.8.146.42 to X.X.X.178, IP options: 0x14""
c849719-d.ptbrg1.sfba.home.com
Deny IP from 24.92.69.43 to X.X.X.176, IP options: 0x14""
m1has1n43.midsouth.rr.com
Deny IP from 24.92.91.37 to X.X.X.73, IP options: 0x14""
m7hfs1n37.midsouth.rr.com
Deny IP from 38.30.76.38 to X.X.X.27, IP options: 0x14""
ip38.miami12.fl.pub-ip.psi.net

Current thread:

Re: LJK2 rootkit?, (continued)
- - - Re: LJK2 rootkit? Jose Nazario (May 18)
    - Re: LJK2 rootkit? Omachonu Ogali (May 18)
    - Re: LJK2 rootkit? Jens Hektor (May 17)
    - Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
    - Korea Damian Gerow (May 17)
  - Re: IP Black list? Ryan Russell (May 16)
    - Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Luff, Darryl (May 15)
  - Re: IP Black list? Michael Damm (May 15)
    - Re: IP Black list? jms (May 15)
    - TCP/IP options flags? Matt Beck (May 16)
    - unapproved update from [166.93.60.5].61946 James Ankenbrandt (May 17)
    - Re: unapproved update from [166.93.60.5].61946 Jon Lewis (May 18)
- Re: IP Black list? Volker Werth [VWSoft] (May 16)
- Re: IP Black list? Elliot Perrin (May 16)
  - Sniffer files Wozz (May 16)
    - Re: Sniffer files Randy Janinda (May 18)
    - Re: Sniffer files Robert Graham (May 18)
  - Re: IP Black list? Paul L Schmehl (May 16)
  - Re: IP Black list? Joe McAlerney (May 16)
- Re: IP Black list? Robert G. Ferrell (May 16)

(Thread continues...)