Security Incidents mailing list archives
Re: PIX Question
From: Laura Nuñez <potus () glacyar com ar>
Date: Thu, 2 Nov 2000 17:16:30 -0300
Hi, I am curious about the meaning of IP Options=0x14. Is PIX displaying the option number here? Because if this number is the value of the Option Field instead, it should read: 0 00 10100 = 14Hex | | |___Option Number: 20Decimal, that is Router Alert, the router has to examine the datagram even if is not the adressee | |_______Option Class: In this case Datagram or network control |__________Copy the option in all the fragments So, What happend if there is more than one option in the IP header? What has the router to do with the packet? You are right about the source address, it doesn't belong there. If you can, filter that kind of illegal addresses in your external routers. There is a document in SANS detailing that: www.sans.org/dosstep/index.htm It would be interesting to know what the packet looked like. If you continue seeing this kind of traffic, use an sniffer and capture the whole packet to know a little more. Good Luck, Laura --------------------------------------- Laura Nuñez mailto:potus () glacyar com ar PGP Fingerprint: 995C 89F3 DAF5 F106 4D6C C4B4 8A0C 832F A2FD 1BBA PGP Public Key: http://www.glacyar.com.ar/potus.asc Sitio web: http://www.glacyar.com.ar Lista Glacyar InfoSec: http://glacyar.listbot.com/ --------------------------------------- -----Mensaje original----- De: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]En nombre de Shawn Davenport Enviado el: Martes, 31 de Octubre de 2000 08:23 p.m. Para: INCIDENTS () SECURITYFOCUS COM Asunto: Re: PIX Question It refers to the IP Options field of the IP header. The field is 40bytes max in length. 14 is listed as experimental access control on http://www.isi.edu/in-notes/iana/assignments/ip-parameters . For the most part options are very rarely used and I would be cautious of packets coming in using ANY options! In regards to the possibility of someone trying to mapping your network, I would say the chances are good. Some of the more interesting IP options such as lose and strict source routing can help provide a wealth of information regarding network topology. Hope that help! Shawn -----Original Message----- From: Miller, Dan [mailto:dmiller () MICROTHERAPEUTICS COM] Sent: Tuesday, October 31, 2000 11:05 AM To: INCIDENTS () SECURITYFOCUS COM Subject: PIX Question I am a 'newbie' to Security and have been a voyeur to this list-server for a while - plus the 'education' - so please be gentle... Recently the following message has been picked up at our PIX firewall: 106012:Deny IP from 0.0.0.0 to 161.58.250.155, IP options: "0x14" My question is what is an 'IP Option 0x14' ? Just from the outside IP address I assume this to be some kind of attempt to map or penetrate the network perimeter... Any other opinions? Thank you in advance. Daniel Miller IT Manager Micro Therapeutics, Inc. ******************************************************************* The information contained in this message or any of its attachments should be considered privileged and confidential unless explicitly indicated otherwise, and is intended for the exclusive use of the addressee. Any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited unless explicitly indicated otherwise. If you received this message in error, please reply to the sender and destroy the communication immediately. *******************************************************************
Current thread:
- PIX Question Miller, Dan (Nov 01)
- Re: PIX Question Bill Pennington (Nov 02)
- <Possible follow-ups>
- Re: PIX Question Shawn Davenport (Nov 02)
- Re: PIX Question Laura Nuñez (Nov 05)