Re: PIX Question

[Laura Nuñez <potus () glacyar com ar>]

Hi,
        I am curious about the meaning of IP Options=0x14. Is PIX displaying the
option number here? Because if this number is the value of the Option Field
instead, it should read:

0 00 10100  = 14Hex
|  |   |___Option Number: 20Decimal, that is Router Alert, the router has to
examine the datagram even if is not the adressee
|  |_______Option Class: In this case Datagram or network control
|__________Copy the option in all the fragments

        So, What happend if there is more than one option in the IP header? What
has the router to do with the packet?
        You are right about the source address, it doesn't belong there. If you
can, filter that kind of illegal addresses in your external routers. There
is a document in SANS detailing that: www.sans.org/dosstep/index.htm
        It would be interesting to know what the packet looked like. If you
continue seeing this kind of traffic, use an sniffer and capture the whole
packet to know a little more.

Good Luck, Laura
---------------------------------------
Laura Nuñez
mailto:potus () glacyar com ar
PGP Fingerprint: 995C 89F3 DAF5 F106 4D6C C4B4 8A0C 832F A2FD 1BBA
PGP Public Key: http://www.glacyar.com.ar/potus.asc
Sitio web: http://www.glacyar.com.ar
Lista Glacyar InfoSec: http://glacyar.listbot.com/
---------------------------------------

-----Mensaje original-----
De: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]En nombre
de Shawn Davenport
Enviado el: Martes, 31 de Octubre de 2000 08:23 p.m.
Para: INCIDENTS () SECURITYFOCUS COM
Asunto: Re: PIX Question


It refers to the IP Options field of the IP header. The field is 40bytes max
in length. 14 is listed as experimental access control on
http://www.isi.edu/in-notes/iana/assignments/ip-parameters . For the most
part options are very rarely used and I would be cautious of packets coming
in using ANY options!

In regards to the possibility of someone trying to mapping your network, I
would say the chances are good. Some of the more interesting IP options such
as lose and strict source routing can help provide a wealth of information
regarding network topology.

Hope that help!

Shawn


-----Original Message-----
From: Miller, Dan [mailto:dmiller () MICROTHERAPEUTICS COM]
Sent: Tuesday, October 31, 2000 11:05 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: PIX Question

I  am a 'newbie' to Security and have been a voyeur to this list-server
for a while - plus the 'education' - so please be gentle...

Recently the following message has been picked up at our PIX firewall:

     106012:Deny IP from 0.0.0.0 to 161.58.250.155, IP options: "0x14"

My question is what is an 'IP Option 0x14' ?

Just from the outside IP address I assume this to be some kind of
attempt to map or penetrate the network perimeter...
Any other opinions?

Thank you in advance.
Daniel Miller
IT Manager
Micro Therapeutics, Inc.


*******************************************************************
The information contained in this message or any of its attachments
should be considered privileged and confidential unless explicitly
indicated otherwise, and is intended for the exclusive use of the
addressee.  Any disclosure, reproduction, distribution or other
dissemination or use of this communication is strictly prohibited
unless explicitly indicated otherwise.

If you received this message in error, please reply to the sender
and destroy the communication immediately.
*******************************************************************