Odd Increase in Malformed Packets Aimed at Port 0

crusher_at_spamcop.net
Date: 10/17/05

  • Next message: *** St.Peters: "Re: Strange attack question - seems udp" 
    Date: 17 Oct 2005 17:24:31 -0000
To: incidents@securityfocus.com
    ('binary' encoding is not supported, stored as-is) I've been getting a steadily increasing number of these types of alerts from my firewall. They began on October 5th, 2005 on my home network, on a Comcast cable connection, when I received just one of these alerts. 6 Days later, on October 11th, I began getting several a day. Now, I get as many as 100 in a single day.

    Then, October 14th, I began seeing the same thing at my office, on a small /28 IP block. It started with one, then steadily increased over the weekend. I'm now up to about 5 - 6 per day at the office, but expect it will eventually match what I am seeing on my Cable connection at home.

    Here is an example of the type of "attack" alert I get. Please note that aside from the "attacking" IP, all logs are identical, right down to the Port 0 the "attacking" IP sources from:

    10/17/2005 12:29:56.528 - Alert - Network Access - Malformed or unhandled IP packet dropped - 13.106.57.65, 0, X1 - XXX.XXX.XXX, 1025 - IP Protocol 17

    This appears to be a "new" attack, exploit attempt, or something going on out on the net, but I've not been able to find anything on it.

    I've checked with collegues in the field, and they too, have been noticing this same type of activity going on, and are equally stumped.

  • Next message: *** St.Peters: "Re: Strange attack question - seems udp"
    • Quantcast