Re: Strange TCP headers

From: Matt Zimmerman (mdzat_private)
Date: Fri May 10 2002 - 09:17:38 PDT

  • Next message: Robert Buckley: "RE: Strange TCP headers"

    On Fri, May 10, 2002 at 10:40:19AM -0500, pbsarnacat_private wrote:
    > Starting on May 8 and continuing on through today, my firewall has been
    > picking up malformed TCP packets. The PIX complains about bad header
    > lengths, but the flag combinations that are showing up are extremely
    > strange. The source IP addresses are varied, and the destination IPs are
    > all NAT'd client workstations... not servers. The interesting thing is that
    > a majority of the scans are originating from port 6346, which
    > informs me is the gnutella server port. I've verified that at least two of
    > the clients that these packets were directed to were running various
    > file-sharing clients. Is this some sort of new scanning tool that runs over
    > the Gnutella network? Anyone have any thoughts?
    > (See attached file: 5-10-02-scans.txt)
    I saw a small number of these a couple of days ago, on ports other than the
    ones that you saw.  I chalked it up to random data corruption, since it has
    not repeated since.
     - mdz
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri May 10 2002 - 10:00:45 PDT