Strange TCP headers

• Previous message: Larry Thompson: "RE: Strange "shotgun" scan"
• Next in thread: Matt Zimmerman: "Re: Strange TCP headers"
• Reply: Matt Zimmerman: "Re: Strange TCP headers"
• Reply: Robert Buckley: "RE: Strange TCP headers"
• Reply: pbsarnacat_private: "RE: Strange TCP headers"
• Reply: Robert Buckley: "RE: Strange TCP headers"
• Reply: Michel Arboi: "Re: Strange TCP headers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just joined the list, and a quick search of the archives didn't turn this
up, but forgive me if this has already been discussed.

Starting on May 8 and continuing on through today, my firewall has been
picking up malformed TCP packets. The PIX complains about bad header
lengths, but the flag combinations that are showing up are extremely
strange. The source IP addresses are varied, and the destination IPs are
all NAT'd client workstations... not servers. The interesting thing is that
a majority of the scans are originating from port 6346, which snort.org
informs me is the gnutella server port. I've verified that at least two of
the clients that these packets were directed to were running various
file-sharing clients. Is this some sort of new scanning tool that runs over
the Gnutella network? Anyone have any thoughts?

(See attached file: 5-10-02-scans.txt)

Thanks!
Patrick Sarnacke

• application/octet-stream attachment: 5-10-02-scans.txt

• Next message: Matt Zimmerman: "Re: Strange TCP headers"
• Previous message: Larry Thompson: "RE: Strange "shotgun" scan"
• Next in thread: Matt Zimmerman: "Re: Strange TCP headers"
• Reply: Matt Zimmerman: "Re: Strange TCP headers"
• Reply: Robert Buckley: "RE: Strange TCP headers"
• Reply: pbsarnacat_private: "RE: Strange TCP headers"
• Reply: Robert Buckley: "RE: Strange TCP headers"
• Reply: Michel Arboi: "Re: Strange TCP headers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 10 2002 - 08:55:00 PDT