At 11:15 07/11/00 -0600, Gary Maltzen wrote:
>While monitoring one of our servers for anomalous sequences, I ran across
>this in a tcpdump.
>
>There have been numerous icmp-echo requests, but these are radically
>different.
>
>What are these telling me?
>
>eth0 P 213.57.53.33 > 10.1.1.113: icmp: echo request (frag 21767:552@0+)
>(ttl 112)
>eth0 P 213.57.53.33 > 10.1.1.113: (frag 21767:156@552) (ttl 112)
>[snip]
>
>In case it's not obvious, 10.1.1.113 is the internal address of my server.
The address is certainly the result of your NAT. I think the "client" has
requested
the public address of your server, and it has been nated by your firewall
or router.
the 21767 is the packet Id.
the next field (552 in the 1st line, 16 in the second) is the packet length
the number after the @ is offset
then a '+' means that there are more fragments (ie, this is not the last
fragment).
so you received a fragmented icmp echo request. the MTU, as set by the
client application
or stack, is at most 688 (552+156-20).
The packet seems too long. It may have been generatedby "ping -s 660".
but this kind of "activities" is generally not "honest" (or are there buggy
pieces of code?).
Anyway, these shouldn't be normal things:
- why set this size?
- why packets oiginiating from diferent hosts have the same properties?
probably the same guy created the packets
- why were they fragmented? here, make sure you don't have something in your
route that has a small MTU.
> 213.57.53.33 belongs to NONSTOP-CABLE of Israel
nonstop or not, stop them ;p
> 213.104.186.170 belongs to NTL Internet of Great Britain
"Not To Let in" ?
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
