RE: Strange TCP headers

From: Dano (dano@phink.org)
Date: 05/11/02


Date: Sat, 11 May 2002 02:35:12 -0400 (EDT)
From: Dano <dano@phink.org>
To: Robert Buckley <rbuckley@synapsemail.com>


On Fri, 10 May 2002, Robert Buckley wrote:

> pb,
> < It's not like there's
> a standard signature... ACK FIN URG set or something. Some have two flags,
> some have three, some have all six, some have none. It really seems like
> someone is manipulating these packets. >
>
> It sure does seem that way, in fact I noticed in some of your output that
> the header size was 0.
> Now we all know thats a sure impossibility. Pix wont pass anything from a
> high -> low interface
> without a bare SYN on it 1st anyways, so we can bet its not going to get
> anywhere.
> Mirror a port and throw a sniffer there and monitor the port in question. If
> you find
> the garbage is truly garbage, and pix is reporting correctly, trace it back
> to the user.

Hmm on this note I'll throw in a few packets that I picked up in April,
figured it was coruption in the packet myself since the packets in
question have no reason to be on the network.

07:04:52.780367 198.7.0.16 > 88.0.156.254: (frag
224:4294967274@38296) [tos 0x4]
                         0604 0002 00e0 52b3 6a00 d1ca c607 0010
                         5800 9cfe d1ca c604 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 d1ca 0100
07:05:12.209263 198.6.0.80 > 139.176.28.26: (frag
224:4294967274@38464) [tos 0x4]
                         0604 0002 00e0 52c8 a600 d1ca c606 0050
                         8bb0 1c1a d1ca c6df 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 d1ca 0100

Haven't seen any for over a week, but someone might be able to use the
information, started around 4/17 until 4/29. I have tcpdumps of the
questionable packets.

--Dano

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: [opensuse] SuseFirewall IPv4 vs IPv6
    ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
    (SuSE)
  • Re: What is going on with my Dialup?
    ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
    (comp.os.linux.networking)
  • Re: OT .. Road Warrior communications question
    ... The data on the Internet is sent in little packets. ... The packets addressed to port 80 ... Likewise, at the mail server receiving the packets, it knows the return ... Why would e-mail work on the web but not from your e-mail software? ...
    (alt.guitar.bass)
  • Re: Logs: Many hits with source port of 80
    ... The hits from source port 80 to dest port 37852 are IMHO almost ... you should probably see a couple other packets - perhaps ... packets if either you send the load balancer a packet, ... >>I have seen similar hits for the past three months. ...
    (Incidents)
  • Re: Error 720 connecting to server via VPN
    ... By default the router's firewall is configured to drop ICMP packets ... Select WAN Setup> Advanced> Respond to Ping on Internet Port. ... server and the Internet allow GRE packets. ... routers on the user's network are also configured to allow GRE packets. ...
    (microsoft.public.windows.server.sbs)