Security Incidents mailing list archives
TCP/IP options flags?
From: Mbeck () GIANTSTEP COM (Matt Beck)
Date: Tue, 16 May 2000 17:53:05 -0500
I'm seeing lots of packets denied at my firewall with the IP options flag set. The firewall logs the flag set as HEX 0x14. I cannot convert this to any of the standard TCP/IP options such as loose or strict source routing. My first thought was that maybe machines were somehow misconfigured and I need not worry about it. But for grins I looked up all the addresses and noticed a disturbing pattern. During just the last 5 days I've received these packets from the addresses below. They are mostly .edu domains and what appear to be cable-modem users. So I began searching for tools or scanners that would set IP options flags as part of their work. I have had no luck finding such tools. Can anyone comment on why these packets would be arriving at my firewall and whether or not I should be worried about them? I'm attempting to capture these packets for deeper analysis. Any help you can offer would be greatly appreciated. Thanks. Deny IP from 128.59.139.23 to X.X.X.X, IP options: 0x14"" chemstore05.chem.columbia.edu Deny IP from 128.6.135.7 to X.X.X.X, IP options: 0x14"" antonio.rutgers.edu Deny IP from 129.174.186.20 to X.X.X.242, IP options: 0x14"" 99F1443.dorm.gmu.edu Deny IP from 136.165.132.243 to X.X.X.201, IP options: 0x14"" dhcp04.hsc-b.louisville.edu Deny IP from 204.210.205.115 to X.X.X.71, IP options: 0x14"" c21b115.neo.rr.com Deny IP from 216.233.75.58 to X.X.X.103, IP options: 0x14"" node-d8e94b3a.powerinter.net Deny IP from 24.142.55.37 to X.X.X.28, IP options: 0x14"" cm-24-142-55-37.cableco-op.ispchannel.com Deny IP from 24.24.37.4 to X.X.X.201, IP options: 0x14"" d18182504.rochester.rr.com Deny IP from 24.24.47.133 to X.X.X.121, IP options: 0x14"" d18182f85.rochester.rr.com Deny IP from 24.29.235.217 to X.X.X.201, IP options: 0x14"" ro02-24-29-235-217.ce.mediaone.net Deny IP from 24.8.146.42 to X.X.X.178, IP options: 0x14"" c849719-d.ptbrg1.sfba.home.com Deny IP from 24.92.69.43 to X.X.X.176, IP options: 0x14"" m1has1n43.midsouth.rr.com Deny IP from 24.92.91.37 to X.X.X.73, IP options: 0x14"" m7hfs1n37.midsouth.rr.com Deny IP from 38.30.76.38 to X.X.X.27, IP options: 0x14"" ip38.miami12.fl.pub-ip.psi.net
Current thread:
- Re: LJK2 rootkit?, (continued)
- Re: LJK2 rootkit? Jose Nazario (May 18)
- Re: LJK2 rootkit? Omachonu Ogali (May 18)
- Re: LJK2 rootkit? Jens Hektor (May 17)
- Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
- Korea Damian Gerow (May 17)
- Re: IP Black list? Ryan Russell (May 16)
- Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Luff, Darryl (May 15)
- Re: IP Black list? Michael Damm (May 15)
- Re: IP Black list? jms (May 15)
- TCP/IP options flags? Matt Beck (May 16)
- unapproved update from [166.93.60.5].61946 James Ankenbrandt (May 17)
- Re: unapproved update from [166.93.60.5].61946 Jon Lewis (May 18)
- Re: IP Black list? Michael Damm (May 15)
- Sniffer files Wozz (May 16)
- Re: Sniffer files Randy Janinda (May 18)
- Re: Sniffer files Robert Graham (May 18)
- Re: IP Black list? Paul L Schmehl (May 16)
- Re: IP Black list? Joe McAlerney (May 16)