Most probably it is not an attack but a scanning of your machine for services. In short technical: IPv4 uses a feature called fragmentation to permit networks with different MTUs (that's maximum packet size) to communicate with each other. The minimum really used MTU in the internet is about 550 bytes. If you ever see a first fragment of an IP packet that is less than say 500 bytes it is probably someone trying to split the packets he sends into small peaces (fragments) so that your filtering software not notice the real destination of the packet itself. To be effective his/her attack they need to send a fragment of less than the size of the transport/session layer header, which in this case is (UDP header=) 8 bytes, So they sent an IP packet fragmented into peaces so that the first peace carries only the first byte of the udp header, and your linux kernel noticed that it is not normal to receive a first fragment so short. Best Regards, Boyan Krosnov, CCIE #8701 Senior Internetwork Engineer Network Systems Department Lirex BG Ltd. phone: +359-2-91815 > -----Original Message----- > From: jamie@jamie-sue.org [mailto:jamie@jamie-sue.org] > Sent: Thursday, February 28, 2002 7:57 PM > To: incidentsat_private > Subject: Suspect short first fragment? > > > > > I got several of these messages in my syslogd logs - > > I'm using Redhat 7.1 > > > > any idea? Is this an attack? > > > > Suspect short first fragment. > > eth0 PROTO=17 212.15.64.83:0 > > 200.186.111.146:0 L=20 S=0x00 I=40960 F=0x4000 > > T=116 > > (#0) > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 13:03:21 PST