[Dshield] Packet Fragments

Bob Savage bsavage at rnr-inc.com
Mon Jun 24 14:36:48 GMT 2002


I have been getting these, along with regular alerts, about every 3
hours or so for the last 36 hours:

6/24/2002,2:24:31,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,SYN,ALLOWED
6/24/2002,2:24:31,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,SYN
ACK,ALLOWED
6/24/2002,2:24:32,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,ALLOWED
6/24/2002,2:24:32,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
ACK,ALLOWED
6/24/2002,2:24:33,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
ACK,ALLOWED
6/24/2002,2:24:33,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
ACK,ALLOWED
6/24/2002,2:24:33,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
ACK,ALLOWED
6/24/2002,2:24:33,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
ACK,ALLOWED
6/24/2002,2:24:34,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
ACK,ALLOWED
6/24/2002,2:24:34,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
ACK,ALLOWED
6/24/2002,2:24:35,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
ACK,ALLOWED
6/24/2002,2:24:35,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
ACK,ALLOWED
6/24/2002,2:24:35,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,Fragment
6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH
URG,Fragment
6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH ACK
URG,Fragment
6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
ACK,Fragment
6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,SYN PSH,Fragment
6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,Fragment
6/24/2002,2:24:37,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,ACK URG,Fragment
6/24/2002,2:24:37,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,SYN RST
URG,Fragment
6/24/2002,2:24:37,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
ACK,ALLOWED
6/24/2002,2:24:37,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,ACK,ALLOWED
6/24/2002,2:24:38,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,Fragment
6/24/2002,2:24:38,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH
URG,Fragment
6/24/2002,2:24:38,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH ACK
URG,Fragment
6/24/2002,2:24:44,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,Fragment
6/24/2002,2:24:44,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH
URG,Fragment
6/24/2002,2:24:44,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH ACK
URG,Fragment
6/24/2002,2:24:54,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,Fragment
6/24/2002,2:24:54,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH
URG,Fragment
6/24/2002,2:24:54,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH ACK
URG,Fragment
6/24/2002,2:25:14,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,Fragment
6/24/2002,2:25:15,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH
URG,Fragment
6/24/2002,2:25:15,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH ACK
URG,Fragment
6/24/2002,2:25:58,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,Fragment
6/24/2002,2:25:58,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH
URG,Fragment
6/24/2002,2:25:58,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH ACK
URG,Fragment

There are no corresponding emails at these times or from this IP.

What's going on???

This is from an ISA server packet filter log.  Dates and times are CDT,
USA.

Thanks folks!


Bob Savage




More information about the list mailing list