Security Incidents mailing list archives
Re: Source port 0 and from a 0 network to boot?
From: Valdis.Kletnieks () vt edu
Date: Fri, 10 Jun 2005 23:09:13 -0400
the network. The PC will be shipped to us from our remote office but in the mean time does anyone recognize this traffic? I'm curious about the spoofed source addresses, 0.x.x.x. They appear random, other then the first octet being 0, but this PC choked an internal router with 50MB of traffic
Just as a totally shot-in-the-dark, is it possible that the IP packets in question contain IP options or similar weirdness, and your Dragon sensor misinterpreted the packet? I've seen more than one tool that blindly assumed that an IP header is 40 bytes, and started decoding the TCP header 40 bytes in, no matter what. Botched decodes of the "returned packet header" in an ICMP seem to be pretty popular as well. Of course, sometimes the malware programmers are the ones that botch things - stuff like using your own custom structure definitions that don't match reality, leaving out a field, and all your crafted packets go out the door busticated. (They'd have to try hard to botch that in this case - source addr/port aren't adjacent...) If feasible, try trapping the traffic with Ethereal or tcpdump or other tool, and see if it agrees that there's zeros in the source port and the first byte of the source addr...
Attachment:
_bin
Description:
Current thread:
- Source port 0 and from a 0 network to boot? kurt (Jun 10)
- Re: Source port 0 and from a 0 network to boot? Valdis . Kletnieks (Jun 13)
- <Possible follow-ups>
- Re: Source port 0 and from a 0 network to boot? junkma1l (Jun 13)
- Re: Source port 0 and from a 0 network to boot? kurt (Jun 13)