Date: Tue, 17 Jul 2001 22:39:40 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: "D. W. Piper" <dwplists@loop.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Another question on IPFW Rule -1 Message-ID: <20010717223940.A437@blossom.cjclark.org> In-Reply-To: <03a401c10efb$dd2eda60$213cd3cf@loop.com>; from dwplists@loop.com on Tue, Jul 17, 2001 at 01:05:39PM -0700 References: <200105181518.WAA12362@bazooka.cs.ait.ac.th> <046c01c0dfc0$833e7fc0$213cd3cf@loop.com> <03a401c10efb$dd2eda60$213cd3cf@loop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 17, 2001 at 01:05:39PM -0700, D. W. Piper wrote: > Originally I'd asked whether IPFW rule -1 always indicated an attack > because for the last few weeks we've been seeing the following entries > in the IPFW logs on two of our servers: > > ipfw: -1 Refuse TCP aaa.bbb.ccc.ddd www.xxx.yyy.zzz in via de0 Fragment > = 184 > > Yesterday for example it happened for about 25 minutes on the primary > mail server, then when it stopped happening on that server it happened > for about 20 minutes on one of our secondary mail servers. > > As I said earlier, this has been going on for the last few weeks, always > from the same IP address, always to the same two of our servers, and > always with "Fragment = 184". > > Can anyone shed any light on what's going on here? > > Is it significant that it's always "Fragment = 184"? (Is that the > number of the fragment, or if not what does it mean?) It's the offset. The data in the fragment should be placed at an offset of 1472 bytes in the reassembled datagram. This is not a "bogus frag" as described in the manpage. I think it's probably a runt packet. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010717223940.A437>