RE: fragmented packet from res6.geocities.com

[Jeffery.Gieser () minnesotamutual com]

Normally, you only have one flag set in a TCP packet unless it's a SYN, ACK
or a FIN, ACK.  No valid TCP packets will ever have RST and FIN set in the
same packet since they both close connections in different ways.  A packet
that has all six flags on with one byte of data use to be called a nastygram
or Christmas tree packet.  I believe it causes some of the older
implementations of the TCP/IP stack to crash.  Since the ACK flag counts as
one byte of data, whoever set you this packet was probably trying to crash
your machine.

4/20/00, 18:42:28,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:42:29,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:42:33,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:42:38,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:42:50,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:43:13,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:43:59,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,

These two packets are probably trying to do the same thing but I don't
recognize them as a particular attack offhand.  These are not valid TCP
segments, either.

4/20/00, 18:41:22,Tcp, 165, 38320, FIN SYN RST , Frag,
4/20/00, 18:40:18,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag,

If these packets are hitting your firewall they are probably just being
dropped or getting a RST.  I wouldn't worry about them unless you have some
old OS versions on your network that are not protected by a firewall.  Even
if they come on valid TCP ports that you allow the internet to send traffic
to you on, your firewall should, hopefully,  realize that it is a malformed
packet and drop it.

Regards,
Jeffery Gieser


> Does the following connection attempt sound familiar to anyone:
>
> Apr 20 14:47:57 fw /kernel: ipfw: 9100 Deny TCP 209.1.224.16
> 12.38.161.54 in
> via fxp0 Fragment = 147
> Apr 20 14:48:21 fw last message repeated 9 times
> Apr 20 14:50:26 fw last message repeated 33 times
> Apr 20 14:55:40 fw last message repeated 11 times

yep, get the same thing once in a while, i have been wondering what this
was???

4/20/00, 18:40:00, 209.1.224.16,Tcp, 165, 38320, FIN SYN RST , Frag,
4/20/00, 18:40:02,Tcp, 165, 38320, FIN SYN RST , Frag,
4/20/00, 18:40:05,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag,
4/20/00, 18:40:07,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag,
4/20/00, 18:40:08,Tcp, 165, 38320, FIN SYN RST , Frag,
4/20/00, 18:40:11,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag,
4/20/00, 18:40:17,Tcp, 165, 38320, FIN SYN RST , Frag,
4/20/00, 18:40:18,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag,
4/20/00, 18:40:34,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag,
4/20/00, 18:40:39,Tcp, 165, 38320, FIN SYN RST , Frag,
4/20/00, 18:41:06,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag,
4/20/00, 18:41:22,Tcp, 165, 38320, FIN SYN RST , Frag,
4/20/00, 18:42:28,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:42:29,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:42:33,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:42:38,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:42:50,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:43:13,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
4/20/00, 18:43:59,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,