Re: streams of fragments...

From: Burak DAYIOGLU (dayiogluat_private)
Date: Wed Jul 18 2001 - 05:20:46 PDT

  • Next message: Nathan W. Labadie: "Re: "Code Red" worm questions"

    Russell Fulton wrote:
    > For some time now snort has been logging 'Tiny Fragments' coming from
    > several different addresses.  Here is a sample:
    > 
    > Packet 1
    > TIME:   10:04:55.405457
    > LINK:   00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP
    >   IP:   62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D09
    >         MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE6E
    >  TCP:   port 0 -> 0 seq=0000000000 ack=0000000000
    >         hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=50A9 urg=59666
    > DATA:   <No data>
    > ---------------------------------------------------------------------------
    > Packet 2
    > TIME:   10:04:55.481006 (0.075549)
    > LINK:   00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP
    >   IP:   62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D12
    >         MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE65
    >  TCP:   port 0 -> 0 seq=0000000000 ack=0000000000
    >         hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=0F59 urg=30577
    > DATA:   <No data>
    > 
    > Note More Fragments and Don't fragment are both set to 1??
    > 
    > The packets arrive in pairs, both to the same destination address.
    
    Might it be hping running in two-fragments mode? hping data portions
    are small; when split into two, it will be tiny.
    
    Busy now so cannot verify with a sniffer trace; sorry.
    
    regards,
    -bd
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 10:38:41 PDT