[Dshield] list Digest, Vol 36, Issue 26

jmulkerin jmulkerin at comcast.net
Tue Jan 3 01:45:24 GMT 2006


We put up a IPFW in front of the firewall and I've been playing 
cat&mouse ever since. He'd change IPs, I'd add a rule.   I eventually 
had all UDP frags blocked and took off for New Years and my pager is 
driving me crazy.  He now attacking via TCP frags at the smtp server.   
I'll pull some ethereal packets before throwing up more blockades.

John

>
> jmulkerin wrote:
>
>> We're just getting hammered with fragmented traffic to port 16 on a 
>> dns/smtp server.  Its always 1 packet.  Normally he/she sends two 
>> packets and changes IPs then two more, then changes IP .etc.  Here is 
>> a snippet:
>>
>> [Root]system-critical-00440: Fragmented traffic! From 
>> 216.234.234.34:20864 to DNSSERVER:16, proto UDP (zone Untrust, int 
>> ethernet1). Occurred 1 times. (2005-12-23 07:18:39)
>>
>> We have nothing running on port 16 and haven't found any covert 
>> channels running on port 16.
>>
>> Comments?
>>
>> John Mulkerin
>>
> John,
>
> Have you captured any of the packets?  tcpdump or Ethereal would be 
> great.
> Typically, if a packet is fragmented, only the first "piece" will have 
> port numbers.  All subsequent fragments will retain the same packet 
> ID, but only have payload above the IP layer (no TCP or UDP headers).
>
> Rob
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>list mailing list
>list at lists.dshield.org
>http://www.dshield.org/mailman/listinfo/list
>  
>


More information about the list mailing list