RE: Strange TCP headers

From: Robert Buckley (rbuckley@synapsemail.com)
Date: 05/10/02

• Previous message: Matt Zimmerman: "Re: Strange TCP headers"
• Maybe in reply to: pbsarnac@ThoughtWorks.com: "Strange TCP headers"
• Next in thread: pbsarnac@ThoughtWorks.com: "RE: Strange TCP headers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Robert Buckley <rbuckley@synapsemail.com>
To: "'pbsarnac@ThoughtWorks.com'" <pbsarnac@ThoughtWorks.com>, incidents@securityfocus.com
Date: Fri, 10 May 2002 12:00:32 -0400

pb,
        That is strange. Do you have some raw data to back up what pix is
saying. If you have an old IOS running there, it could very well be pix is
not reporting correctly. We need to verify this by looking at the actual raw
header, and see if it has options etc. I've caught a few people on my own
network using gnutella, which is prohibited by policy, but I've never seen
our pix's report bad header lengths on the traffic.

-----Original Message-----
From: pbsarnac@ThoughtWorks.com [mailto:pbsarnac@ThoughtWorks.com]
Sent: Friday, May 10, 2002 11:40 AM
To: incidents@securityfocus.com
Subject: Strange TCP headers

I just joined the list, and a quick search of the archives didn't turn this
up, but forgive me if this has already been discussed.

Starting on May 8 and continuing on through today, my firewall has been
picking up malformed TCP packets. The PIX complains about bad header
lengths, but the flag combinations that are showing up are extremely
strange. The source IP addresses are varied, and the destination IPs are
all NAT'd client workstations... not servers. The interesting thing is that
a majority of the scans are originating from port 6346, which snort.org
informs me is the gnutella server port. I've verified that at least two of
the clients that these packets were directed to were running various
file-sharing clients. Is this some sort of new scanning tool that runs over
the Gnutella network? Anyone have any thoughts?

(See attached file: 5-10-02-scans.txt)

Thanks!
Patrick Sarnacke

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Matt Zimmerman: "Re: Strange TCP headers"
• Maybe in reply to: pbsarnac@ThoughtWorks.com: "Strange TCP headers"
• Next in thread: pbsarnac@ThoughtWorks.com: "RE: Strange TCP headers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: The document name or path is not vaild... ... the Zip file was corrupt. ... very persnickety with its header. ... >> I have tried saving the file to network drives, ... >> we can't always ask our clients to re-send in Rich Text Format! ... (microsoft.public.word.application.errors) Re: IIS 5.0 Accept Header Bug: Any Workarounds? ... The Accept header is in the HTTP specification for a good reason. ... Hacking the web server to accept broken web clients, ... It is possible to hack IIS to munge/remove the incoming Accept header so ... (microsoft.public.inetserver.iis) Re: Setting the Reply-To address ... with the "incorrect" address, does it go back to the right place, or does it ... Ben Winzenz wrote: ... That is what mail clients use when they reply to a ... (Note that this may or may not relate to the "Reply-To" SMTP header. ... (microsoft.public.exchange.admin) Re: How to deal with 24 bit PCM in ACM driver ... I can see that different clients set wav header data differently before ... a 24-bit noise file in PCM wav format (this shows up as "24bit Packed Int ... >> various clients (SoundRecorder, WinMediaPlayer, WinAmp, Audition. ... (microsoft.public.win32.programmer.directx.audio)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)