Re: streams of fragments...

From: Gamble (a629wat_private)
Date: Wed Jul 18 2001 - 08:23:36 PDT

  • Next message: Burak DAYIOGLU: "Re: streams of fragments..."

     This sounds like a DOS attack.  By sending you many fragmented packets 
    the attacker could consume a lot of the memory on your machine.  You could
    counter this by blocking all IP fragments on your firewall,  but that
    would also prevent legitimate activities.  The attacker is most likly
    spoofing the IP addresses which you are seeing, so if it is a DOS,
    tracking it down will be difficult.
    
    -- Jamie Gamble
    
    
    > Note More Fragments and Don't fragment are both set to 1??
    > 
    > The packets arrive in pairs, both to the same destination address.
    > 
    > Some sources send packets to just one destination others send them
    > to many.
    > 
    > When I look in the argus logs I see a single RST packet and argus does
    > not report that it was fragmented.
    > 
    > Any idea what is going on?
    > 
    > Russell Fulton, Computer and Network Security Officer
    > The University of Auckland,  New Zealand
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 10:04:13 PDT