Security Incidents mailing list archives

RE: Suspect short first fragment?

From: "Boyan Krosnov" <bkrosnov () lirex bg>
Date: Thu, 28 Feb 2002 22:29:34 +0200

Most probably it is not an attack but a scanning of your machine for
services.

In short technical:
IPv4 uses a feature called fragmentation to permit networks with
different MTUs (that's maximum packet size) to communicate with each
other.
The minimum really used MTU in the internet is about 550 bytes.
If you ever see a first fragment of an IP packet that is less than say
500 bytes it is probably someone trying to split the packets he sends
into small peaces (fragments) so that your filtering software not notice
the real destination of the packet itself. To be effective his/her
attack they need to send a fragment of less than the size of the
transport/session layer header, which in this case is (UDP header=) 8
bytes, So they sent an IP packet fragmented into peaces so that the
first peace carries only the first byte of the udp header, and your
linux kernel noticed that it is not normal to receive a first fragment
so short.

Best Regards,
Boyan Krosnov, CCIE #8701
Senior Internetwork Engineer
Network Systems Department
Lirex BG Ltd.

phone: +359-2-91815

-----Original Message-----
From: jamie () jamie-sue org [mailto:jamie () jamie-sue org]
Sent: Thursday, February 28, 2002 7:57 PM
To: incidents () securityfocus com
Subject: Suspect short first fragment?




I got several of these messages in my syslogd logs - 

I'm using Redhat 7.1 

              

             any idea?  Is this an attack? 

              

             Suspect short first fragment.  

             eth0 PROTO=17 212.15.64.83:0 

200.186.111.146:0 L=20 S=0x00 I=40960 F=0x4000 

T=116 

             (#0)  

--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Suspect short first fragment? jamie (Feb 28)
- <Possible follow-ups>
- RE: Suspect short first fragment? Ralph Los (Feb 28)
- RE: Suspect short first fragment? Boyan Krosnov (Feb 28)