Re: Source port 0 and from a 0 network to boot?

[Valdis.Kletnieks () vt edu]

> the network.  The PC will be shipped to us from our remote office but
> in the mean time does anyone recognize this traffic?  I'm curious
> about the spoofed source addresses, 0.x.x.x.  They appear random,
> other then the first octet being 0, but this PC choked an internal
> router with 50MB of traffic

Just as a totally shot-in-the-dark, is it possible that the IP
packets in question contain IP options or similar weirdness, and
your Dragon sensor misinterpreted the packet?  I've seen more than one
tool that blindly assumed that an IP header is 40 bytes, and started
decoding the TCP header 40 bytes in, no matter what.  Botched decodes
of the "returned packet header" in an ICMP seem to be pretty popular as
well.

Of course, sometimes the malware programmers are the ones that botch
things - stuff like using your own custom structure definitions that
don't match reality, leaving out a field, and all your crafted packets
go out the door busticated.   (They'd have to try hard to botch that in
this case - source addr/port aren't adjacent...)

If feasible, try trapping the traffic with Ethereal or tcpdump or other
tool, and see if it agrees that there's zeros in the source port and
the first byte of the source addr...

Attachment: _bin
Description: