Fragmentation Concerns...

From: Josh Lutz (jlutzat_private)
Date: Tue Nov 20 2001 - 10:18:26 PST
Next message: incidents-return-2127-jwa=jammed.comat_private: "Re: MS-SQL Worm?"
Previous message: jabba: "Re: MS-SQL Worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I pulled this data from a Proxy Server 2.0 Packet Filter log. What has
me concerned is the seemingly random source and destination ports and in
a few instances the source ports are low ports or, in one case, zero. I
wouldn't think that streaming media would not hop ports like this.
 
This happened multiple times for 30 seconds to a minute. The source IP
was different each time, but it could have been spoofed.
 
I have copied a segment of the log below. Note the Source Port = 0,
seven lines from the bottom.
 
I would appreciate any feedback on this.
Thanks
Josh
 
Date        Time       Src IP       Dest IP   Proto SP    DP    Flags
Frag   Log Host
------------------------------------------------------------------------
---------------------------
11/15/2001  10:54:45   a.b.c.188    w.x.y.34  Udp  11769 19892 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:45   a.b.c.188    w.x.y.34  Udp  13100 36866 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  60772 18235 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  2244  10919 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  38860 20639 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  44102 57112 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  36568 22795 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  829   35894 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  13590 37647 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  33653 11083 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  7771  18936 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  14726 58812 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  4688  54193 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  1991  21011 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  16453 45020 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  42955 9480  -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  16725 11659 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  21637 51352 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  52265 54278 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  59684 10008 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  36361 12922 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  59164 41025 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  14928 35887 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  43540 56226 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  5571  40001 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  5808  37741 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  43092 4110  -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  58173 65144 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  22068 51210 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  49295 49263 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  22098 42784 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  12549 47168 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  12920 632   -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  29764 59286 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  62195 57409 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  11021 47211 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  19098 10409 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  51877 37582 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  63826 14992 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:46   a.b.c.188    w.x.y.34  Udp  4     38943 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  28770 54432 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  24934 42285 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  28911 49629 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  34631 14104 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  21288 1666  -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  11473 14786 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  5007  10291 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  42505 5141  -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  5565  59076 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  167   9472  -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  14902 36368 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  54022 30931 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  34319 17895 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  59591 13377 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  46095 45974 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  17486 14882 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  57051 40017 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  50639 35439 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  62742 36349 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  39872 2108  -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  45117 11241 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  0     62758 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  49560 17812 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  16902 36153 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  46173 47707 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  57613 21302 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  55572 44996 -    Frag
w.x.y.34  -      -
11/15/2001  10:54:47   a.b.c.188    w.x.y.34  Udp  35904 41124 -    Frag
w.x.y.34  -      -
 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: incidents-return-2127-jwa=jammed.comat_private: "Re: MS-SQL Worm?"
Previous message: jabba: "Re: MS-SQL Worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 11:53:29 PST