[Dshield] Packet fragments

Johannes Ullrich jullrich at sans.org
Tue Jun 25 16:41:28 GMT 2002

I wonder if this is something like 'whisker' which uses fragmentation
to evade some firewall/IDS checks. Do you have the ability to capture
full packet logs?

> I'm seeing some strange log entries.  It starts as if it's an email,
> with the remote server exchanging several port 25 communications with my
> Exchange server.  Then the remote server sends a series of 20 or so
> packet fragments to port 25, all of which are dropped and generate a
> flurry of alerts.  It's all over in a matter of a few seconds.  Not sure
> whether a real email is ever sent, but if so we're not getting it.
> It's been happening every 2 to 4 hours for the last several days.
> The remote server is in Russia.  My firewall server is running ISA and
> I'm getting all this information from ISA packet filter logs and alerts.
> I don't recognize this as an attack that I'm familiar with, and I
> haven't be able to turn up anything useful in web searches.  On the
> other hand there's an awful lot I don't know about this stuff, and I
> often don't even know the right questions!

jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020625/8638a8b3/attachment.bin

More information about the list mailing list