Security Incidents mailing list archives

IPv4 fragmentation --> The Rose Attack

From: hs () holgerscherer de
Date: Wed, 14 Apr 2004 23:54:19 +0200



Question to the experts:

my firewall (Netscreen 5GT) recognizes several IP fragment alerts a day,
reading 

**SNIP**
[00001] 2004-04-11 15:34:44 system-critical-00413:  no tcp flag, From
212.YY.XXX.35/3580 to 213.221.XXX.YY/83, using protocol TCP (on zone
V1-Untrust,interface untrust) occurred 1 times

[00001] 2004-04-13 22:54:34 system-critical-00440: ip fragment, From
62.XXX.151.YY/33451 to 213.221.XXX.YY/23604, using protocol TCP (on zone
V1-Untrust,interface untrust) occurred 1 times

[00001] 2004-04-14 20:45:19 system-critical-00440: ip fragment, From
XXX.152.YY.148/33712 to 213.221.XXX.YY/3658, using protocol TCP (on zone
V1-Untrust,interface untrust) occurred 1 times

**SNAP**

etc... as the destination Ports dont seem to be interesting for any
service i use, might there be a possibility for any worm or exploit in
the wild?

These alerts started ocurring about 3-4 weeks ago.

-h


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

IPv4 fragmentation --> The Rose Attack hs (Apr 15)
- Re: IPv4 fragmentation --> The Rose Attack Valdis . Kletnieks (Apr 15)