Security Incidents mailing list archives
Re: fragment attack of some kind ?
From: DerekB () AMDOCS COM (Derek Becker)
Date: Mon, 17 Apr 2000 13:18:02 -0500
Actually, the # refers to which line in your chain triggered the log. In this case, line 32 of your input chain DENYed the listed traffic. Derek -----Original Message----- From: Klavs Klavsen [mailto:ktk () BERLINGSKE-ONLINE DK] Sent: Tuesday, April 11, 2000 2:38 AM To: INCIDENTS () SECURITYFOCUS COM Subject: fragment attack of some kind ? Dear sirs, I've encountered the following in a Linux firewall.. (and I would be greatful if you would shed some light on it for me..) Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17 216.35.71.246:2000 x.x.x.x:33434 L=64 S=0x00 I=22914 F=0x0000 T=242 (#32) Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17 216.35.71.246:2001 x.x.x.x:33434 L=64 S=0x00 I=22916 F=0x0000 T=242 (#32) Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17 216.35.71.246:2002 x.x.x.x:33434 L=64 S=0x00 I=22918 F=0x0000 T=242 (#32) Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6 216.35.71.246:2000 x.x.x.x:33434 L=104 S=0x00 I=35096 F=0x0000 T=242 SYN (#24) Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6 216.35.71.246:2001 x.x.x.x:33434 L=104 S=0x00 I=36448 F=0x0000 T=242 SYN (#24) Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6 216.35.71.246:2002 x.x.x.x:33434 L=104 S=0x00 I=44944 F=0x0000 T=242 SYN (#24) Am I interpreting it correct, when I see the first 3 lines, as packages with length 64 (is that odd ?) and the #32 means that it's suppose to be the 32'st fragment ? and what does the I stand for ? and the F ? the T is the ttl of the package ? And is the second row of packages, the same kind of package as the first one, but with the SYN bit set ? And at last, my final question.. This firewall is also masquarading for a lot of clients.. both linux and winblows.. and I get a lot of these "funny" packages... is there anyway that they can be caused by.. something initiated by my clients ? Best regards, Klavs Klavsen Denmark
Current thread:
- Re: fragment attack of some kind ? Derek Becker (Apr 17)