[Dshield] lots of fragmented & overlapping TCP packets directed at web server...
security at admin.fulgan.com
Tue Oct 16 08:13:01 GMT 2001
APkc> My IDS is seeing LOTS of fragmented and overlapping TCP packets, all
APkc> directed at port 80 on one of my web servers. There are no other negative
APkc> indicators, just fragmented and overlapping packets....
APkc> There are multiple sources, but they almost all seem to be community
APkc> colleges, or high schools, or other educational institutions.
APkc> Some of the source IPs have a few dings against them in DShield, but most
APkc> are totally clean.
APkc> Does anyone have any idea what might be causing this traffic?? Anyone else
APkc> seeing this sort of thing?
This *might* be some kind of DDOS: Teardrop uses Fragmented,
overlapped packets (NT, 9x and Linux):
Also, Some old PIX firmware allowed fragmentation attack to pass
through the firewall (pretty old versions, but, ah, well...
More information about the list