Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > IDS-list> 1999-q4

IDS Archives: IDS: packets with strange IP options

IDS: packets with strange IP options

Razvan Peteanu (Razvan.Peteanufmcsc.com)
Tue, 21 Sep 1999 11:10:03 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Jon Speer: "IDS: RE: WatchGuard"
Previous message: Dafunquia, Facundo: "IDS: WatchGuard"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------

--- Hi all,

One of our firewalls has recently rejected the following packets for having unusual IP options. The apparent origins were as follows:

<IP1> was a server in Switzerland (with which no traffic has been recorded) <IP2> was a Windows box belonging to the address space of a very large American ISP

11:06:39 Deny IP from <IP1> to <...>, IP options 0x80323fa4 11:06:47 Deny IP from <IP1> to <...>, IP options 0x8034e784 11:06:58 Deny IP from <IP1> to <...>, IP options 0x801e38bc

11:27:13 Deny IP from <IP2> to <...>, IP options 0x8021d36c 11:27:18 Deny IP from <IP2> to <...>, IP options 0x802125fc 11:27:25 Deny IP from <IP2> to <...>, IP options 0x802b181c 11:28:47 Deny IP from <IP2> to <...>, IP options 0x8029b644 11:29:04 Deny IP from <IP2> to <...>, IP options 0x8022f6cc

For your convenience, I've broken down the options into binary form.

0x80323fa4 10000000 00110010 00111111 10100100 0x8034e784 10000000 00110100 11100111 10000100 0x801e38bc 10000000 00011110 00111000 10111100 0x8021d36c 10000000 00100001 11010011 01101100 0x802125fc 10000000 00100001 00100101 11111100 0x802b181c 10000000 00101011 00011000 00011100 0x8029b644 10000000 00101001 10110110 01000100 0x8022f6cc 10000000 00100010 11110110 11001100

I looked in Stevens' book (see p. 37) for the meaning of the unusual options but couldn't find a match:

- it's not DoD Security (RFC 1108), the first byte would have been 0x82 or 0x85 - it's not Record Route, the first byte would have been 0x07 - it's not router timestamp, the first byte would have been 0x44 - it's not source routing, the first byte would have been 0x83 for loose source routing or 0x89 for strict source routing

My questions:

1. Are these options meaningful or can they be the result of a bug? 2. What would the purpose be ? 3. Although the 2 sets of packets did not have identical options, their occurrence within a short time frame is rather remarkable in many months of logging that have not produce similar entries. I take into account the possibility of spoofed source IPs.

Thank you,

Razvan

Next message: Jon Speer: "IDS: RE: WatchGuard"
Previous message: Dafunquia, Facundo: "IDS: WatchGuard"

This archive was generated by hypermail 2.0b3 on Wed Sep 22 1999 - 02:42:16 CDT