Security Incidents mailing list archives

Re: streams of fragments...

From: Gamble <a629w () unb ca>
Date: Wed, 18 Jul 2001 12:23:36 -0300 (ADT)


 This sounds like a DOS attack.  By sending you many fragmented packets 
the attacker could consume a lot of the memory on your machine.  You could
counter this by blocking all IP fragments on your firewall,  but that
would also prevent legitimate activities.  The attacker is most likly
spoofing the IP addresses which you are seeing, so if it is a DOS,
tracking it down will be difficult.

-- Jamie Gamble

Note More Fragments and Don't fragment are both set to 1??

The packets arrive in pairs, both to the same destination address.

Some sources send packets to just one destination others send them
to many.

When I look in the argus logs I see a single RST packet and argus does
not report that it was fragmented.

Any idea what is going on?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand




----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

streams of fragments... Russell Fulton (Jul 17)
- Re: streams of fragments... Gamble (Jul 18)
  - Re: streams of fragments... Jose Nazario (Jul 18)
    - Re: streams of fragments... Dug Song (Jul 18)
  - Re: streams of fragments... Russell Fulton (Jul 18)
- Re: streams of fragments... Burak DAYIOGLU (Jul 18)
- <Possible follow-ups>
- RE: streams of fragments... Portnoy, Gary (Jul 18)
- RE: streams of fragments... Rich Ostergard (Jul 18)