OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: fragment attack of some kind ?
From: Klavs Klavsen (ktkBERLINGSKE-ONLINE.DK)
Date: Tue Apr 11 2000 - 02:38:12 CDT

Dear sirs,

I've encountered the following in a Linux firewall..
(and I would be greatful if you would shed some light on it for me..)

Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17
216.35.71.246:2000 x.x.x.x:33434 L=64 S=0x00 I=22914 F=0x0000 T=242 (#32)
Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17
216.35.71.246:2001 x.x.x.x:33434 L=64 S=0x00 I=22916 F=0x0000 T=242 (#32)
Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17
216.35.71.246:2002 x.x.x.x:33434 L=64 S=0x00 I=22918 F=0x0000 T=242 (#32)
Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6

216.35.71.246:2000 x.x.x.x:33434 L=104 S=0x00 I=35096 F=0x0000 T=242 SYN (#24)
Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6
216.35.71.246:2001 x.x.x.x:33434 L=104 S=0x00 I=36448 F=0x0000 T=242 SYN (#24)
Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6
216.35.71.246:2002 x.x.x.x:33434 L=104 S=0x00 I=44944 F=0x0000 T=242 SYN (#24)

Am I interpreting it correct, when I see the first 3 lines, as packages with
length 64 (is that odd ?) and the #32 means that it's suppose to be the 32'st
fragment ? and what does the I stand for ? and the F ? the T is the ttl of the
package ?

And is the second row of packages, the same kind of package as the first one,
but with the SYN bit set ?

And at last, my final question.. This firewall is also masquarading for a lot of
clients.. both linux and winblows.. and I get a lot of these "funny" packages...
is there anyway that they can be caused by.. something initiated by my clients ?

Best regards,

Klavs Klavsen
Denmark