On Wed, 18 Apr 2001, Jeff Kell wrote: > "Some packets have absolutely no flags set at all; these are > referred to as "null" packets. It is illegal to have a packet > with no flags set." > > Because this is an active firewall/IDS, it drops the packet and sends > a reset to each end of the connection, so sendmail tries again. And > yes, it is sendmail, I've sniffed it. I've seen it from sendmail > versions 8.8, 8.9. and 8.10, but so far from only 3 sites in three > weeks. the application wouldn't normally be setting TCP flags, thats done in the kernel. granted one could custom craft packets, via an API like libnet, a tool like nemesis or packet shell, nmap, or what have you, but a normal, garden variety application like sendmail will not do anything but do a connect() to port 25/TCP of the target machine and begin an application level discussion about the mail (ie HELO, MAIL FROM: ...). the kernel will do the TCP session negotiation and such ... sendmail shouldn't be setting any flags of any kinds. is it possible someone on the other end is viewing this connection and attempting to abuse a state table (or something like that) and send their packets through, hoping to walk beside a legitimate connection? this one is quite interesting, i'm curious how this one will polay out. ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 07:40:19 PDT