RE: Suspect short first fragment?

From: Boyan Krosnov (bkrosnovat_private)
Date: Thu Feb 28 2002 - 12:29:34 PST

Next message: sherman.hand: "Question"

Previous message: Ralph Los: "RE: Suspect short first fragment?"
Maybe in reply to: jamie@jamie-sue.org: "Suspect short first fragment?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Most probably it is not an attack but a scanning of your machine for
services.

In short technical:
IPv4 uses a feature called fragmentation to permit networks with
different MTUs (that's maximum packet size) to communicate with each
other.
The minimum really used MTU in the internet is about 550 bytes.
If you ever see a first fragment of an IP packet that is less than say
500 bytes it is probably someone trying to split the packets he sends
into small peaces (fragments) so that your filtering software not notice
the real destination of the packet itself. To be effective his/her
attack they need to send a fragment of less than the size of the
transport/session layer header, which in this case is (UDP header=) 8
bytes, So they sent an IP packet fragmented into peaces so that the
first peace carries only the first byte of the udp header, and your
linux kernel noticed that it is not normal to receive a first fragment
so short.

Best Regards,
Boyan Krosnov, CCIE #8701
Senior Internetwork Engineer
Network Systems Department
Lirex BG Ltd.

phone: +359-2-91815


> -----Original Message-----
> From: jamie@jamie-sue.org [mailto:jamie@jamie-sue.org]
> Sent: Thursday, February 28, 2002 7:57 PM
> To: incidentsat_private
> Subject: Suspect short first fragment?
> 
> 
> 
> 
> I got several of these messages in my syslogd logs - 
> 
> I'm using Redhat 7.1 
> 
>               
> 
>              any idea?  Is this an attack? 
> 
>               
> 
>              Suspect short first fragment.  
> 
>              eth0 PROTO=17 212.15.64.83:0 
> 
> 200.186.111.146:0 L=20 S=0x00 I=40960 F=0x4000 
> 
> T=116 
> 
>              (#0)  
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: sherman.hand: "Question"
Previous message: Ralph Los: "RE: Suspect short first fragment?"
Maybe in reply to: jamie@jamie-sue.org: "Suspect short first fragment?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 13:03:21 PST