For some time now snort has been logging 'Tiny Fragments' coming from
several different addresses. Here is a sample:
Packet 1
TIME: 10:04:55.405457
LINK: 00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP
IP: 62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D09
MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE6E
TCP: port 0 -> 0 seq=0000000000 ack=0000000000
hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=50A9 urg=59666
DATA: <No data>
---------------------------------------------------------------------------
Packet 2
TIME: 10:04:55.481006 (0.075549)
LINK: 00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP
IP: 62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D12
MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE65
TCP: port 0 -> 0 seq=0000000000 ack=0000000000
hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=0F59 urg=30577
DATA: <No data>
Note More Fragments and Don't fragment are both set to 1??
The packets arrive in pairs, both to the same destination address.
Some sources send packets to just one destination others send them
to many.
When I look in the argus logs I see a single RST packet and argus does
not report that it was fragmented.
Any idea what is going on?
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:43:50 PDT