Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: bad IP traffic

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 20 Jun 2003 14:57:40 -0400
At 06:01 PM 6/20/2003 +0200, NC Agent wrote:

My company NIDS - i.e. snort 2.0 - is triggering since three/four days a lot
of  "BAD-TRAFFIC bad frag bits" alerts.
These come out when a TCP packet has both fragment and don't_fragment bit
on.


A packet with both DF and Frag set is likely to be one of two cases:
1) a broken router somewhere that fails to pay attention to the DF bit and fragments packets at will 2) A finger-printing tool, such as nmap, that is observing how your routers and servers respond to invalid packets to try to identify what OS they run. However, doing this at the IP layer isn't common, usually the tcp flags are by far more revealing.
My guess is that someone is visiting your website through a router that is broken but you'd have to closely examine the contents of the packets to tell the difference.... As a ball-park suggestion of how common broken routers are, if I had a nickle for every broken router out there on the net I'd be able to buy a nicely equipped Mercedes with the profits. 


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: