Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Fragmented Packet

from [Shane Mahon] Network Security [Permanent Link]
Subject: RE: Fragmented Packet
Date: Wed, 17 Nov 2004 19:17:40 -0600 
Joe, 
 
There's not enough information there to tell you exactly what is going on.
I can tell you this -- not all fragmented traffic is necessarily malicious.
To start, you really need to consider what is at the destination address,
and find out exactly why those two hosts might need to communicate.  What
UDP services does the destination host offer that the outside host might
want to access?  
 
Some types of traffic are prone to fragmentation(NFS, for an example), and
it can happen normally in certain circumstances such as differing MTU sizes.
Since the firewall is new, you might be simply seeing something that has
always been happening and now you are just now noticing it.  What I'm saying
is, you need to gather a little bit more information before you can
definitively determine what is going on.  
 
Do you have any other log entries that might point to the particular UDP
port numbers that these hosts might be using to communicate with one
another?
 
 
Shane Mahon
Internet Operations Manager
Newsstand, Inc.
 

-----Original Message-----
From: Joe Grinnell [mailto:joe.grinnell@axisci.com] 
Sent: Tuesday, November 16, 2004 1:59 PM
To: firewalls@securityfocus.com
Subject: Fragmented Packet



Hi,  I'm pretty new to firewalls and have just installed a SonicWALL Pro230
with all the default settings.  Anyway, I'm starting to see a lot of
activity to a few different PC's in my DMZ from the below source.  Anyone
know what the heck is going on here?  Any help would be very much
appreciated.

11/16/2004 03:05:46.816 - Fragmented Packet Dropped - Source: 83.102.166.24,
17, WAN - Destination: XXX.XXX.XXX.XXX, DMZ - Protocol: 17 -

11/16/2004 03:08:46.816 - Fragmented Packet Dropped - Source: 83.102.166.53,
17, WAN - Destination: XXX.XXX.XXX.XXX, DMZ - Protocol: 17 -

11/16/2004 03:16:46.816 - Fragmented Packet Dropped - Source: 83.102.166.84,
17, WAN - Destination: XXX.XXX.XXX.XXX, DMZ - Protocol: 17 -

11/16/2004 03:23:46.816 - Fragmented Packet Dropped - Source:
83.102.166.204, 17, WAN - Destination: XXX.XXX.XXX.XXX, DMZ - Protocol: 17 -

Thanks in advance.  I really need to get my learn on.

Joe Grinnell
network security wannabe
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Fragmented Packet, Chris Brenton
Next by Date:  Re: Pix Management, uae mail
Previous by Thread:  Re: Fragmented Packet, Remko Lodder
Next by Thread:  RE: Fragmented Packet, Wozny, Scott (US - New York)
Indexes:  [Date] [Thread] [Top] [All Lists]