Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999-q3

NFR Wizards Archives: Re: packet too large and/or Ping Of Death

Re: packet too large and/or Ping Of Death ???

Mikael Olsson (mikael.olssonenternet.se)
Tue, 09 Nov 1999 20:13:43 +0100

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Joe Ippolito: "Secure Webcasting - Tunneling Multicasts"
Previous message: Yar Magma: "monitoring remote access"

The problem isn't the NICs in the firewall. It's the NICs in your
workstations etc that are sending out scrambled packets.

(I still haven't seen NICs scrambling accurately sent packets on receipt)

If you monitor your network closely, you'll most likely see that
the ethernet sender addresses of the garbled packets will be
the same group all the time. These are the ones that should
get an immediate NIC change.

Drexx Laggui wrote:
>
> Nov. 7, 1999
>
> Hello Mikael,
>
> Umm, the NIC's are not cheap. The ones on both the FireWall-1 v4 SP4 &
> RealSecure 3.0.2 are both Intel GigaEthernet fiber-optic NICs connected to
> a Cabletron switch. And yes, they all run on Windows NT 4 SP4. (What's
> a post-sales engineer to do? Re-design the network?)
>
> Drexx Laggui.
>
> At 01:44 PM 11/6/99 +0100, Mikael Olsson wrote:
>
> >I'm seeing this often in firewall logs. Most likely, you've been buying
> >really cheap network cards. It seems that a LOT of the il-cheapo NE2000
> >clones have the same problem: shifting data 2 bytes in some direction.
> >
> >The thing is, you only get to see these things in logs if your equipment
> >is capable of logging packets with bad checksums rather than throwing
> >them away silently. (Yes, the checksums end up looking all screwy when
> >bytes get shifted around in the packet).
> >
> >And no, the problem is not just IP, they screw all kinds of packets up,
> >I'm seeing this done to f.i. ARP aswell.
> >
> >Regards,
> >Mikael Olsson
> >
> >Drexx Laggui wrote:
> > >
> > > I'm sorry for the re-send, my e-mail got screwed up, but I really value your
> > > input...
> > >
> > > Drexx.
> > >
> > > ==================================================
> > > Nov. 3, 1999
> > >
> > > Hello world,
> > >
> > > I need your collective experience/brain power to shed some light on what's
> > > filling up my FireWall-1 logs and alarming also RealSecure...
> > >
> > > I have a FireWall-1 controlling access to internal VLANs across Cabletron
> > > switches. The RealSecure v3.0.2 constantly alerts with a Ping Of Death attack,
> > > while the FireWall-1 reports that the packets are too large, with an IP Protocol
> > > number of zero.
> > >
> > > It maybe coincidental fact, but the internal networks are of IP address a.b.y.z,
> > > yet the source/destination of the attacks reported are of y.z.a.b .
> > > The weird thing is that I think that the Cabletron maybe mangling the packets
> > > or something, therefore creating a lot of false positives on the RealSecure.
> > >
> > > Any idea what is really happening? Thanks in advance,
> > >
> > > Drexx Laggui.
> >
> >--
> >Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
> >Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
> >Mobile: +46-(0)70-248 00 33
> >WWW: http://www.enternet.se E-mail: mikael.olssonenternet.se

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olssonenternet.se

Next message: Joe Ippolito: "Secure Webcasting - Tunneling Multicasts"
Previous message: Yar Magma: "monitoring remote access"

This archive was generated by hypermail 2.0b3 on Fri Nov 12 1999 - 03:44:40 CST