[Dshield] Packet fragments

Bob Savage bsavage at rnr-inc.com
Tue Jun 25 15:25:14 GMT 2002

Hi folks.  I asked a question yesterday that may have gotten lost in the
shuffle.  Not a big deal, but I thought I'd try again and be a little
more succinct this time:)

I'm seeing some strange log entries.  It starts as if it's an email,
with the remote server exchanging several port 25 communications with my
Exchange server.  Then the remote server sends a series of 20 or so
packet fragments to port 25, all of which are dropped and generate a
flurry of alerts.  It's all over in a matter of a few seconds.  Not sure
whether a real email is ever sent, but if so we're not getting it.

It's been happening every 2 to 4 hours for the last several days.

The remote server is in Russia.  My firewall server is running ISA and
I'm getting all this information from ISA packet filter logs and alerts.

I don't recognize this as an attack that I'm familiar with, and I
haven't be able to turn up anything useful in web searches.  On the
other hand there's an awful lot I don't know about this stuff, and I
often don't even know the right questions!

Is this a commonly known attack?  Maybe it's just a piece of spam that's
gotten corrupted?  Any thoughts?


Bob Savage
IT Manager
RNR, Inc.

More information about the list mailing list