Suspect short first fragment

To: debian-security@lists.debian.org
Subject: Suspect short first fragment
From: Mike Furr <furrm@kenyon.edu>
Date: Sun, 04 Feb 2001 23:04:56 -0500
Message-id: <3A7E2668.19E1D0F2@kenyon.edu>

I just got a bunch of these in my firewall logs.  The box routes real
ip's (no-masq).  Does anyone recogize these types packets?  Is it just a
fragmented portscan or something more dangerous?  The x address is from
outside and the y is inside...

Feb  4 12:54:33 cone kernel: Suspect short first fragment.
Feb  4 12:54:33 cone kernel: eth1 PROTO=6 xx.xx.xx.xx:0 yy.yy.yy.yy:0
L=24 S=0x00
I=19033 F=0x2000 T=112 (#0)
Feb  4 12:54:33 cone kernel: Suspect short first fragment.
Feb  4 12:54:33 cone kernel: eth1 PROTO=6 xx.xx.xx.xx:0 yy.yy.yy.yy:0
L=24 S=0x00
I=19545 F=0x2000 T=112 (#0)

thanks
-mike

Reply to:

Follow-Ups:
- Re: Suspect short first fragment
  - From: "Leonard Leblanc" <lleblanc@emergeknowledge.com>

Prev by Date: Re: ISPs offering ssl-encrypted e-mail?
Next by Date: Re: mirroring security.debian.org?
Previous by thread: Re: Updating the Securing HOWTO
Next by thread: Re: Suspect short first fragment
Index(es):
- Date
- Thread