Security Incidents mailing list archives
RE: Strange TCP headers
From: Dano <dano () phink org>
Date: Sat, 11 May 2002 02:35:12 -0400 (EDT)
On Fri, 10 May 2002, Robert Buckley wrote:
pb, < It's not like there's a standard signature... ACK FIN URG set or something. Some have two flags, some have three, some have all six, some have none. It really seems like someone is manipulating these packets. > It sure does seem that way, in fact I noticed in some of your output that the header size was 0. Now we all know thats a sure impossibility. Pix wont pass anything from a high -> low interface without a bare SYN on it 1st anyways, so we can bet its not going to get anywhere. Mirror a port and throw a sniffer there and monitor the port in question. If you find the garbage is truly garbage, and pix is reporting correctly, trace it back to the user.
Hmm on this note I'll throw in a few packets that I picked up in April, figured it was coruption in the packet myself since the packets in question have no reason to be on the network. 07:04:52.780367 198.7.0.16 > 88.0.156.254: (frag 224:4294967274@38296) [tos 0x4] 0604 0002 00e0 52b3 6a00 d1ca c607 0010 5800 9cfe d1ca c604 0000 0000 0000 0000 0000 0000 0000 0000 0000 d1ca 0100 07:05:12.209263 198.6.0.80 > 139.176.28.26: (frag 224:4294967274@38464) [tos 0x4] 0604 0002 00e0 52c8 a600 d1ca c606 0050 8bb0 1c1a d1ca c6df 0000 0000 0000 0000 0000 0000 0000 0000 0000 d1ca 0100 Haven't seen any for over a week, but someone might be able to use the information, started around 4/17 until 4/29. I have tcpdumps of the questionable packets. --Dano ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange TCP headers pbsarnac (May 10)
- Re: Strange TCP headers Matt Zimmerman (May 10)
- Re: Strange TCP headers Michel Arboi (May 11)
- RE: Strange TCP headers Benjamin Tomhave (May 11)
- <Possible follow-ups>
- RE: Strange TCP headers Robert Buckley (May 10)
- RE: Strange TCP headers pbsarnac (May 10)
- RE: Strange TCP headers Robert Buckley (May 10)
- RE: Strange TCP headers Dano (May 11)