Re: streams of fragments...

[Burak DAYIOGLU <dayioglu () metu edu tr>]

Russell Fulton wrote:
> For some time now snort has been logging 'Tiny Fragments' coming from
> several different addresses.  Here is a sample:
>
> Packet 1
> TIME:   10:04:55.405457
> LINK:   00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP
>   IP:   62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D09
>         MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE6E
>  TCP:   port 0 -> 0 seq=0000000000 ack=0000000000
>         hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=50A9 urg=59666
> DATA:   <No data>
> ---------------------------------------------------------------------------
> Packet 2
> TIME:   10:04:55.481006 (0.075549)
> LINK:   00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP
>   IP:   62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D12
>         MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE65
>  TCP:   port 0 -> 0 seq=0000000000 ack=0000000000
>         hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=0F59 urg=30577
> DATA:   <No data>
>
> Note More Fragments and Don't fragment are both set to 1??
>
> The packets arrive in pairs, both to the same destination address.

Might it be hping running in two-fragments mode? hping data portions
are small; when split into two, it will be tiny.

Busy now so cannot verify with a sniffer trace; sorry.

regards,
-bd


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com