[Dshield] lots of fragmented & overlapping TCP packets directed at web server...

security@admin.fulgan.com security at admin.fulgan.com
Tue Oct 16 08:13:01 GMT 2001


APkc> My IDS is seeing LOTS of fragmented and overlapping TCP packets, all
APkc> directed at port 80 on one of my web servers.  There are no other negative
APkc> indicators, just fragmented and overlapping packets....

APkc> There are multiple sources, but they almost all seem to be community
APkc> colleges, or high schools, or other educational institutions.
APkc> Some of the source IPs have a few dings against them in DShield, but most
APkc> are totally clean.

APkc> Does anyone have any idea what might be causing this traffic??  Anyone else
APkc> seeing this sort of thing?

This *might* be some kind of DDOS: Teardrop uses Fragmented,
overlapped packets (NT, 9x and Linux):

http://www.cert.org/advisories/CA-1997-28.html
http://www.securityfocus.com/bid/543
http://www.securityfocus.com/bid/376


Also, Some old PIX firmware allowed fragmentation attack to pass
through the firewall (pretty old versions, but, ah, well...




More information about the list mailing list