Re: Another question on IPFW Rule -1

From: Crist J. Clark (cristjc@earthlink.net)
Date: 07/18/01

Next message: Sergey N. Voronkov: "Re: Fw: Re: A question about FreeBSD security"
Previous message: Eric Anderson: "Re: Exec logging, FreeBSD Kernel Module."
In reply to: D. W. Piper: "Another question on IPFW Rule -1"
Next in thread: D. W. Piper: "Re: Another question on IPFW Rule -1"
Reply: D. W. Piper: "Re: Another question on IPFW Rule -1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 17 Jul 2001 22:39:40 -0700
From: "Crist J. Clark" <cristjc@earthlink.net>
To: "D. W. Piper" <dwplists@loop.com>

On Tue, Jul 17, 2001 at 01:05:39PM -0700, D. W. Piper wrote:
> Originally I'd asked whether IPFW rule -1 always indicated an attack
> because for the last few weeks we've been seeing the following entries
> in the IPFW logs on two of our servers:
>
> ipfw: -1 Refuse TCP aaa.bbb.ccc.ddd www.xxx.yyy.zzz in via de0 Fragment
> = 184
>
> Yesterday for example it happened for about 25 minutes on the primary
> mail server, then when it stopped happening on that server it happened
> for about 20 minutes on one of our secondary mail servers.
>
> As I said earlier, this has been going on for the last few weeks, always
> from the same IP address, always to the same two of our servers, and
> always with "Fragment = 184".
>
> Can anyone shed any light on what's going on here?
>
> Is it significant that it's always "Fragment = 184"? (Is that the
> number of the fragment, or if not what does it mean?)

It's the offset. The data in the fragment should be placed at an
offset of 1472 bytes in the reassembled datagram. This is not a "bogus
frag" as described in the manpage. I think it's probably a runt
packet.

-- 
Crist J. Clark                           cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Next message: Sergey N. Voronkov: "Re: Fw: Re: A question about FreeBSD security"
Previous message: Eric Anderson: "Re: Exec logging, FreeBSD Kernel Module."
In reply to: D. W. Piper: "Another question on IPFW Rule -1"
Next in thread: D. W. Piper: "Re: Another question on IPFW Rule -1"
Reply: D. W. Piper: "Re: Another question on IPFW Rule -1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Another question on IPFW Rule -1
... Originally I'd asked whether IPFW rule -1 always indicated an attack ... mail server, then when it stopped happening on that server it happened ... for about 20 minutes on one of our secondary mail servers. ... number of the fragment, or if not what does it mean?) ...
(FreeBSD-Security)
Re: Empty a file attached to a process
... Assuming that the program is fairly normal, the offset will start off at zero, ... > servers, even though the configuration is common. ... The number is known as the inode number, and is an index into the inode ... Thats because 'vi' opens the file and reads it from the start, ...
(comp.unix.shell)
Re: tool to collect statistics on round trip delay offset?
... On a small, self contained network,, I have multiple servers that I want to be in sync to < 1ms. ... I want to take some statistics on the measurement jitter (both offset and round trip delay) of a typical NTP packet. ... I envision a utility that would send the UPD NTP packets, and be able to calculate delay and offset from a specific server, but just collect them for analysis later. ...
(comp.protocols.time.ntp)
tool to collect statistics on round trip delay offset?
... round trip delay, and offset without using the data. ... data that needs to be correlated across servers. ... round trip delay) of a typical NTP packet. ...
(comp.protocols.time.ntp)
Re: tool to collect statistics on round trip delay offset?
... round trip delay, and offset without using the data. ... used to time tag event data that needs to be correlated across servers. ... round trip delay) of a typical NTP packet. ...
(comp.protocols.time.ntp)