[Dshield] Packet Fragments

John Sage jsage at finchhaven.com
Tue Jun 25 15:30:24 GMT 2002


On Mon, Jun 24, 2002 at 09:36:48AM -0500, Bob Savage wrote:
> I have been getting these, along with regular alerts, about every 3
> hours or so for the last 36 hours:
> 
> 6/24/2002,2:24:31,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,SYN,ALLOWED
> 6/24/2002,2:24:31,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,SYN
> ACK,ALLOWED

[toot at sparky ~]# host 195.161.32.90
90.32.161.195.in-addr.arpa. domain name pointer dima.surgut.aircontrol.ru.

Anybody you know?

If I'm reading the log format correctly, this (above..) looks like a
TCP SYN packet from their port 1933 to your port 25, which is smtp, or
email...

Do you have an open relay?


The "fragment" references essetially mean that they've attempted to
send a single packet that is larger than the maximum allowable by some
specific router along the path; since the packet is too large, it's
being fragmented, and it would be re-assembled on your host..

Not hideously uncommon...


> 6/24/2002,2:24:32,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,ALLOWED
> 6/24/2002,2:24:32,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:33,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:33,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:33,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:33,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:34,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:34,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:35,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:35,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:35,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,Fragment
> 6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH
> URG,Fragment
> 6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH ACK
> URG,Fragment
> 6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,Fragment
> 6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,SYN PSH,Fragment
> 6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,Fragment
> 6/24/2002,2:24:37,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,ACK URG,Fragment
> 6/24/2002,2:24:37,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,SYN RST
> URG,Fragment
> 6/24/2002,2:24:37,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,ALLOWED

8< snippage >8


- John
-- 
"You are in a different maze of little passages, all twisty."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the list mailing list