Firewall Wizards mailing list archives
RE: fragmented packet from res6.geocities.com
From: Jeffery.Gieser () minnesotamutual com
Date: Thu, 27 Apr 2000 09:22:36 -0500
Normally, you only have one flag set in a TCP packet unless it's a SYN, ACK or a FIN, ACK. No valid TCP packets will ever have RST and FIN set in the same packet since they both close connections in different ways. A packet that has all six flags on with one byte of data use to be called a nastygram or Christmas tree packet. I believe it causes some of the older implementations of the TCP/IP stack to crash. Since the ACK flag counts as one byte of data, whoever set you this packet was probably trying to crash your machine. 4/20/00, 18:42:28,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:42:29,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:42:33,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:42:38,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:42:50,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:43:13,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:43:59,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, These two packets are probably trying to do the same thing but I don't recognize them as a particular attack offhand. These are not valid TCP segments, either. 4/20/00, 18:41:22,Tcp, 165, 38320, FIN SYN RST , Frag, 4/20/00, 18:40:18,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag, If these packets are hitting your firewall they are probably just being dropped or getting a RST. I wouldn't worry about them unless you have some old OS versions on your network that are not protected by a firewall. Even if they come on valid TCP ports that you allow the internet to send traffic to you on, your firewall should, hopefully, realize that it is a malformed packet and drop it. Regards, Jeffery Gieser
Does the following connection attempt sound familiar to anyone: Apr 20 14:47:57 fw /kernel: ipfw: 9100 Deny TCP 209.1.224.16 12.38.161.54 in via fxp0 Fragment = 147 Apr 20 14:48:21 fw last message repeated 9 times Apr 20 14:50:26 fw last message repeated 33 times Apr 20 14:55:40 fw last message repeated 11 times
yep, get the same thing once in a while, i have been wondering what this was??? 4/20/00, 18:40:00, 209.1.224.16,Tcp, 165, 38320, FIN SYN RST , Frag, 4/20/00, 18:40:02,Tcp, 165, 38320, FIN SYN RST , Frag, 4/20/00, 18:40:05,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag, 4/20/00, 18:40:07,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag, 4/20/00, 18:40:08,Tcp, 165, 38320, FIN SYN RST , Frag, 4/20/00, 18:40:11,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag, 4/20/00, 18:40:17,Tcp, 165, 38320, FIN SYN RST , Frag, 4/20/00, 18:40:18,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag, 4/20/00, 18:40:34,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag, 4/20/00, 18:40:39,Tcp, 165, 38320, FIN SYN RST , Frag, 4/20/00, 18:41:06,Tcp, 50978, 28056, FIN SYN PSH ACK URG , Frag, 4/20/00, 18:41:22,Tcp, 165, 38320, FIN SYN RST , Frag, 4/20/00, 18:42:28,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:42:29,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:42:33,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:42:38,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:42:50,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:43:13,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag, 4/20/00, 18:43:59,Tcp, 41460, 34586, FIN SYN RST PSH ACK URG , Frag,
Current thread:
- RE: fragmented packet from res6.geocities.com Jeffery . Gieser (Apr 27)