Re: Small tcp fragments.

[Ian Eure <ieure () SICKFUCK ORG>]

On Wed, 6 Sep 2000 cider () SPEAKEASY ORG wrote:
> hi,
>
>       from time to time I see very small tcp fragments with source and
> destination port == 0, no payload, no options, and both DF and MF bits
> set.  these are frequently from IP addresses which have established
> legitimate tcp connections (usually to port 80 or 443) to hosts on my
> network, and there are usually only one or two of these fragments per
> source.  because of the lack of any real information in these fragments,
> i'm suspecting misbehaving networking equipment rather than malicious
> activity - though it did occur to me that they may be some kind of "packet
> of death" for a particular operating system.  anyone else familiar with /
> see these packets?  they seem to originate mostly from european address
> space, though there have been a few US-generated fragments as well.
in the last few weeks, i have seen two or three similar packets:

-- snip -- (times are PDT, UTC -0700)
Aug 28 03:12:36 spindle kernel: Packet log: ltraf REJECT eth0 PROTO=6
client.ip.was.here:3389 my.ip.was.here:0 L=40 S=0x00 I=22997 F=0x4000
T=119 (#11)
-- snip --

what is more interesting is that i got a portmapper scan from the same ip
the day before.

--
 ______________________________________________
| "the whole scale of cosmic dimensions are falling from my mouth
| in the description of a kiss of the interimlovers"
|   - einsturzende neubaten, "interim"