[Dshield] Small PMTU (mss 28)

Justin S jgs316 at gmail.com
Fri Feb 10 14:53:19 GMT 2006


Has anyone else been seeing traffic with a mss of 28?  Starting yesterday
(2/9/06) at about 8:46 am EST I started receiving some probes of this
traffic type.  It's not something that I normally see, especially with this
regularity.  The traffic changes source address (but other than two scans
from a 207. network, they all come from 69.), the source port appears to
incriment very slightly with each scan (one scan was on source ports
50041,50084,50123 and two hours later the next was on
50162,50196,50220,50238 and up it goes), and the ttl is always 116.  The
packets are always directed at my web server on port 80, and are a single
SYN packet.  My firewall stops them, so I'm not responding or seeing what
would happen if I sent back a SYN-ACK.

I'm not sure if it is a probe of some kind, or if it is directed just at my
network.  So I thought I would put it out to the group and see if anyone
else is seeing this type of traffic.

Thanks all!

Justin


More information about the list mailing list