OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: fragment attack of some kind ?
From: Heiko Degenhardt (heiko.degenhardtSENTEC-ELEKTRONIK.DE)
Date: Mon Apr 17 2000 - 06:58:34 CDT

Klavs Klavsen wrote:
>
> Dear sirs,
Dear Klavs,

> ...
> Apr 10 19:35:05 firewall kernel: Packet log: input DENY eth3 PROTO=17
> 216.35.71.246:2000 x.x.x.x:33434 L=64 S=0x00 I=22914 F=0x0000 T=242 (#32)
> ...
> Apr 10 19:35:34 firewall kernel: Packet log: input DENY eth3 PROTO=6
> 216.35.71.246:2001 x.x.x.x:33434 L=104 S=0x00 I=36448 F=0x0000 T=242 SYN > > > (#24)
> ...
> Am I interpreting it correct, when I see the first 3 lines, as packages
> with length 64 (is that odd ?) and the #32 means that it's suppose to be
> the 32'st fragment ?
No. For me it looks as if you are using ipchains. Afaik #32 means,
that the packet was logged from the 32th rule of your firewall script
(you can check that with "ipchains -nvL input | less").

> and what does the I stand for ?
Please have a look at the IPCHAINS-Howto:

I: IP ID

> and the F ?
F: "16-Bit fragment offset plus flags"

> the T is the ttl of the package ?
Yes.

>
> And is the second row of packages, the same kind of package as the
> first one, but with the SYN bit set ?
And the packets come via another protocol. PROTO=17 means
udp, PROTO=6 means tcp.

>
> is there anyway that they can be caused by.. something initiated by my > clients ?
I don't know that exactly.
As far as I read on
http://www.robertgraham.com/pubs/firewall-seen.html#traceroute,
packets in the range of 33434-33600/udp may indicate a traceroute
(but then you shouldn't see the port 33434 but higher ones).

I don't know if versions of traceroute also use tcp.

It is also possible, that someone was scanning your host.

Rgds.
Heiko.

ps: Sorry if I am not right with that. I am also quiet new
to that security thing...