Security Incidents mailing list archives
Re: streams of fragments...
From: Gamble <a629w () unb ca>
Date: Wed, 18 Jul 2001 12:23:36 -0300 (ADT)
This sounds like a DOS attack. By sending you many fragmented packets the attacker could consume a lot of the memory on your machine. You could counter this by blocking all IP fragments on your firewall, but that would also prevent legitimate activities. The attacker is most likly spoofing the IP addresses which you are seeing, so if it is a DOS, tracking it down will be difficult. -- Jamie Gamble
Note More Fragments and Don't fragment are both set to 1?? The packets arrive in pairs, both to the same destination address. Some sources send packets to just one destination others send them to many. When I look in the argus logs I see a single RST packet and argus does not report that it was fragmented. Any idea what is going on? Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- streams of fragments... Russell Fulton (Jul 17)
- Re: streams of fragments... Gamble (Jul 18)
- Re: streams of fragments... Jose Nazario (Jul 18)
- Re: streams of fragments... Dug Song (Jul 18)
- Re: streams of fragments... Russell Fulton (Jul 18)
- Re: streams of fragments... Jose Nazario (Jul 18)
- Re: streams of fragments... Burak DAYIOGLU (Jul 18)
- <Possible follow-ups>
- RE: streams of fragments... Portnoy, Gary (Jul 18)
- RE: streams of fragments... Rich Ostergard (Jul 18)
- Re: streams of fragments... Gamble (Jul 18)