Suspicious traffic w src & dst port 19161

["Fergie (Paul Ferguson)" <fergdawg () netzero net>]

I've been looking for information on some suspicious traffic
we've been seeing targeted at one of our internal boxes. My gut
tells me it's a covert channel.

Access from the outside to the trageted box is blocked by
the firewall, but I occassionally see attempts by other various
hosts (usually originating from residential broadband users)
to communicate with the same target box anyway. The traffic
alarms my "outside interface" IDS sensor as a "IP Fragment
Overwrite - Data is Overwritten" meaning that:

[snip]

This signature fires upon detecting an IP fragment that overlaps a previous fragment.

This behavior is consistent with the 'Ping of Death'.

Overlapping fragments may be also used in an attempt to bypass Intrusion Detection Systems. In this scenario, part of 
an attack is sent in fragments along with additional random data; future fragments may overwrite the random data with 
the remainder of the attack. If the completed datagram is not properly reassembled at the IDS, the attack will go 
undetected. Triggers when a fragment overlap occurs which results in existing data being overwritten.

[snip]

Source and destination port is 16191.

Any ideas? I can probably get a trace, but I thought I
would ask the list first..

Thanks,

- ferg

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------