Firewall Wizards mailing list archives
Re: packet too large and/or Ping Of Death ???
From: Mikael Olsson <mikael.olsson () enternet se>
Date: Tue, 09 Nov 1999 20:13:43 +0100
The problem isn't the NICs in the firewall. It's the NICs in your workstations etc that are sending out scrambled packets. (I still haven't seen NICs scrambling accurately sent packets on receipt) If you monitor your network closely, you'll most likely see that the ethernet sender addresses of the garbled packets will be the same group all the time. These are the ones that should get an immediate NIC change. Drexx Laggui wrote:
Nov. 7, 1999 Hello Mikael, Umm, the NIC's are not cheap. The ones on both the FireWall-1 v4 SP4 & RealSecure 3.0.2 are both Intel GigaEthernet fiber-optic NICs connected to a Cabletron switch. And yes, they all run on Windows NT 4 SP4. (What's a post-sales engineer to do? Re-design the network?) Drexx Laggui. At 01:44 PM 11/6/99 +0100, Mikael Olsson wrote:I'm seeing this often in firewall logs. Most likely, you've been buying really cheap network cards. It seems that a LOT of the il-cheapo NE2000 clones have the same problem: shifting data 2 bytes in some direction. The thing is, you only get to see these things in logs if your equipment is capable of logging packets with bad checksums rather than throwing them away silently. (Yes, the checksums end up looking all screwy when bytes get shifted around in the packet). And no, the problem is not just IP, they screw all kinds of packets up, I'm seeing this done to f.i. ARP aswell. Regards, Mikael Olsson Drexx Laggui wrote:I'm sorry for the re-send, my e-mail got screwed up, but I really value your input... Drexx. ================================================== Nov. 3, 1999 Hello world, I need your collective experience/brain power to shed some light on what's filling up my FireWall-1 logs and alarming also RealSecure... I have a FireWall-1 controlling access to internal VLANs across Cabletron switches. The RealSecure v3.0.2 constantly alerts with a Ping Of Death attack, while the FireWall-1 reports that the packets are too large, with an IP Protocol number of zero. It maybe coincidental fact, but the internal networks are of IP address a.b.y.z, yet the source/destination of the attacks reported are of y.z.a.b . The weird thing is that I think that the Cabletron maybe mangling the packets or something, therefore creating a lot of false positives on the RealSecure. Any idea what is really happening? Thanks in advance, Drexx Laggui.-- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
-- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- packet too large and/or Ping Of Death ??? Drexx Laggui (Nov 04)
- <Possible follow-ups>
- packet too large and/or Ping Of Death ??? Drexx Laggui (Nov 04)
- Re: packet too large and/or Ping Of Death ??? Mikael Olsson (Nov 06)
- Re: packet too large and/or Ping Of Death ??? Drexx Laggui (Nov 06)
- Re: packet too large and/or Ping Of Death ??? Mikael Olsson (Nov 10)
- Re: packet too large and/or Ping Of Death ??? Mikael Olsson (Nov 06)
- Re: packet too large and/or Ping Of Death ??? Robert Graham (Nov 05)
- Re: packet too large and/or Ping Of Death ??? Drexx Laggui (Nov 05)