RE: Strange TCP headers

From: Dano (dano@phink.org)
Date: 05/11/02


Date: Sat, 11 May 2002 02:35:12 -0400 (EDT)
From: Dano <dano@phink.org>
To: Robert Buckley <rbuckley@synapsemail.com>


On Fri, 10 May 2002, Robert Buckley wrote:

> pb,
> < It's not like there's
> a standard signature... ACK FIN URG set or something. Some have two flags,
> some have three, some have all six, some have none. It really seems like
> someone is manipulating these packets. >
>
> It sure does seem that way, in fact I noticed in some of your output that
> the header size was 0.
> Now we all know thats a sure impossibility. Pix wont pass anything from a
> high -> low interface
> without a bare SYN on it 1st anyways, so we can bet its not going to get
> anywhere.
> Mirror a port and throw a sniffer there and monitor the port in question. If
> you find
> the garbage is truly garbage, and pix is reporting correctly, trace it back
> to the user.

Hmm on this note I'll throw in a few packets that I picked up in April,
figured it was coruption in the packet myself since the packets in
question have no reason to be on the network.

07:04:52.780367 198.7.0.16 > 88.0.156.254: (frag
224:4294967274@38296) [tos 0x4]
                         0604 0002 00e0 52b3 6a00 d1ca c607 0010
                         5800 9cfe d1ca c604 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 d1ca 0100
07:05:12.209263 198.6.0.80 > 139.176.28.26: (frag
224:4294967274@38464) [tos 0x4]
                         0604 0002 00e0 52c8 a600 d1ca c606 0050
                         8bb0 1c1a d1ca c6df 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 d1ca 0100

Haven't seen any for over a week, but someone might be able to use the
information, started around 4/17 until 4/29. I have tcpdumps of the
questionable packets.

--Dano

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com