Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999-q3

NFR Wizards Archives: Re: packet too large and/or Ping Of Death

Re: packet too large and/or Ping Of Death ???

Mikael Olsson (mikael.olssonenternet.se)
Sat, 06 Nov 1999 13:44:32 +0100

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Anton J Aylward: "RE: "Proactive" Password Checking"
Previous message: Saravana Ram: "Re: new topic-professional hacking tecniques"
In reply to: REID FOX: "Re: new topic-professional hacking tecniques"
Next in thread: Drexx Laggui: "Re: packet too large and/or Ping Of Death ???"
Reply: Drexx Laggui: "Re: packet too large and/or Ping Of Death ???"

I'm seeing this often in firewall logs. Most likely, you've been buying
really cheap network cards. It seems that a LOT of the il-cheapo NE2000
clones have the same problem: shifting data 2 bytes in some direction.

The thing is, you only get to see these things in logs if your equipment
is capable of logging packets with bad checksums rather than throwing
them away silently. (Yes, the checksums end up looking all screwy when
bytes get shifted around in the packet).

And no, the problem is not just IP, they screw all kinds of packets up,
I'm seeing this done to f.i. ARP aswell.

Regards,
Mikael Olsson

Drexx Laggui wrote:
>
> I'm sorry for the re-send, my e-mail got screwed up, but I really value your
> input...
>
> Drexx.
>
> ==================================================
> Nov. 3, 1999
>
> Hello world,
>
> I need your collective experience/brain power to shed some light on what's
> filling up my FireWall-1 logs and alarming also RealSecure...
>
> I have a FireWall-1 controlling access to internal VLANs across Cabletron
> switches. The RealSecure v3.0.2 constantly alerts with a Ping Of Death attack,
> while the FireWall-1 reports that the packets are too large, with an IP Protocol
> number of zero.
>
> It maybe coincidental fact, but the internal networks are of IP address a.b.y.z,
> yet the source/destination of the attacks reported are of y.z.a.b .
> The weird thing is that I think that the Cabletron maybe mangling the packets
> or something, therefore creating a lot of false positives on the RealSecure.
>
> Any idea what is really happening? Thanks in advance,
>
> Drexx Laggui.

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olssonenternet.se

Next message: Anton J Aylward: "RE: "Proactive" Password Checking"
Previous message: Saravana Ram: "Re: new topic-professional hacking tecniques"
In reply to: REID FOX: "Re: new topic-professional hacking tecniques"
Next in thread: Drexx Laggui: "Re: packet too large and/or Ping Of Death ???"
Reply: Drexx Laggui: "Re: packet too large and/or Ping Of Death ???"

This archive was generated by hypermail 2.0b3 on Sun Nov 07 1999 - 03:22:00 CST