[Dshield] Packet Fragments

Bob Savage bsavage at rnr-inc.com
Tue Jun 25 17:35:11 GMT 2002


Hi John.  Yep, looks like email to me as well, except the firewall isn't
allowing it through because of the fragmented packets.

And no, we don't know Russia.  I did have one fax machine, on one of our
private IP numbers, authorized to relay, but I cut it off after reading
your comments.

Probably spam.  No big deal.

Thanks for taking a look at it.

Bob Savage

-----Original Message-----
From: John Sage [mailto:jsage at finchhaven.com]
Sent: Tuesday, June 25, 2002 10:30 AM
To: list at dshield.org
Subject: Re: [Dshield] Packet Fragments


On Mon, Jun 24, 2002 at 09:36:48AM -0500, Bob Savage wrote:
> I have been getting these, along with regular alerts, about every 3
> hours or so for the last 36 hours:
> 
>
6/24/2002,2:24:31,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,SYN,ALLOWED
> 6/24/2002,2:24:31,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,SYN
> ACK,ALLOWED

[toot at sparky ~]# host 195.161.32.90
90.32.161.195.in-addr.arpa. domain name pointer
dima.surgut.aircontrol.ru.

Anybody you know?

If I'm reading the log format correctly, this (above..) looks like a
TCP SYN packet from their port 1933 to your port 25, which is smtp, or
email...

Do you have an open relay?


The "fragment" references essetially mean that they've attempted to
send a single packet that is larger than the maximum allowable by some
specific router along the path; since the packet is too large, it's
being fragmented, and it would be re-assembled on your host..

Not hideously uncommon...


>
6/24/2002,2:24:32,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,ALLOWED
> 6/24/2002,2:24:32,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:33,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:33,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:33,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:33,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:34,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:34,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:35,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,ALLOWED
> 6/24/2002,2:24:35,209.xxx.xxx.xxx,195.161.32.90,Tcp,25,1933,PSH
> ACK,ALLOWED
>
6/24/2002,2:24:35,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,Fragment
> 6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH
> URG,Fragment
> 6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,FIN RST PSH
ACK
> URG,Fragment
> 6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,Fragment
> 6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,SYN
PSH,Fragment
>
6/24/2002,2:24:36,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,ACK,Fragment
> 6/24/2002,2:24:37,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,ACK
URG,Fragment
> 6/24/2002,2:24:37,195.161.32.90,209.xxx.xxx.xxx,Tcp,0,0,SYN RST
> URG,Fragment
> 6/24/2002,2:24:37,195.161.32.90,209.xxx.xxx.xxx,Tcp,1933,25,PSH
> ACK,ALLOWED

8< snippage >8


- John
-- 
"You are in a different maze of little passages, all twisty."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list