Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: fragment attack of some kind ?

From: DerekB () AMDOCS COM (Derek Becker)
Date: Mon, 17 Apr 2000 13:18:02 -0500

Actually, the # refers to which line in your chain triggered the log. In
this case, line 32 of your input chain DENYed the listed traffic.

Derek

-----Original Message-----
From: Klavs Klavsen [mailto:ktk () BERLINGSKE-ONLINE DK]
Sent: Tuesday, April 11, 2000 2:38 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: fragment attack of some kind ?

Dear sirs,

I've encountered the following in a Linux firewall..
(and I would be greatful if you would shed some light on it for me..)

Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17
216.35.71.246:2000 x.x.x.x:33434 L=64 S=0x00 I=22914 F=0x0000 T=242 (#32)
Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17
216.35.71.246:2001 x.x.x.x:33434 L=64 S=0x00 I=22916 F=0x0000 T=242 (#32)
Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17
216.35.71.246:2002 x.x.x.x:33434 L=64 S=0x00 I=22918 F=0x0000 T=242 (#32)
Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6

216.35.71.246:2000 x.x.x.x:33434 L=104 S=0x00 I=35096 F=0x0000 T=242 SYN
(#24)
Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6
216.35.71.246:2001 x.x.x.x:33434 L=104 S=0x00 I=36448 F=0x0000 T=242 SYN
(#24)
Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6
216.35.71.246:2002 x.x.x.x:33434 L=104 S=0x00 I=44944 F=0x0000 T=242 SYN
(#24)

Am I interpreting it correct, when I see the first 3 lines, as packages with
length 64 (is that odd ?) and the #32 means that it's suppose to be the
32'st
fragment ? and what does the I stand for ? and the F ? the T is the ttl of
the
package ?

And is the second row of packages, the same kind of package as the first
one,
but with the SYN bit set ?

And at last, my final question.. This firewall is also masquarading for a
lot of
clients.. both linux and winblows.. and I get a lot of these "funny"
packages...
is there anyway that they can be caused by.. something initiated by my
clients ?

Best regards,

Klavs Klavsen
Denmark
Previous By Date Next
Previous By Thread Next

Current thread: