Re: Suspect short first fragment
I ran a search on google and here's a response that someone gave to someone
else....
<begin copied message>
I guess that someone (212.140.74.85) is trying to send to you a
fragmented TCP segment.
There are, at least, two points because this shouldn't happen, IMHO:
1 - TCP never send fragmented segs (if PMTU is - by default -
active).
(so this is strange).
2 - This should be an attempt to open a firewalled service by means
of fragment overlaps.
<this is a little dated>
The linux firewall software deals that as stated in
net/ipv4/ip_fw.c:
offset = (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req);
/* If it is a truncated first fragment then it can be
* used to rewrite port information, and thus should
* be blocked.
*/
if (offset && (ntohs(ip->frag_off) & IP_MF))
if (!testing && net_ratelimit())
printk("Suspect short first fragment.\n");
dump_packet(ip,rif,NULL,NULL,0,0,0,0);
}
return FW_BLOCK;
}
Hope this helps (and it's right ;))
-- gg sullivan
<end of copied message>
Leonard Leblanc
----- Original Message -----
From: Mike Furr <furrm@kenyon.edu>
To: <debian-security@lists.debian.org>
Sent: Sunday, February 04, 2001 8:04 PM
Subject: Suspect short first fragment
> I just got a bunch of these in my firewall logs. The box routes real
> ip's (no-masq). Does anyone recogize these types packets? Is it just a
> fragmented portscan or something more dangerous? The x address is from
> outside and the y is inside...
>
> Feb 4 12:54:33 cone kernel: Suspect short first fragment.
> Feb 4 12:54:33 cone kernel: eth1 PROTO=6 xx.xx.xx.xx:0 yy.yy.yy.yy:0
> L=24 S=0x00
> I=19033 F=0x2000 T=112 (#0)
> Feb 4 12:54:33 cone kernel: Suspect short first fragment.
> Feb 4 12:54:33 cone kernel: eth1 PROTO=6 xx.xx.xx.xx:0 yy.yy.yy.yy:0
> L=24 S=0x00
> I=19545 F=0x2000 T=112 (#0)
>
> thanks
> -mike
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
Reply to: