Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Fragmented Packet

from [Chris Brenton] Network Security [Permanent Link]
Subject: Re: Fragmented Packet
Date: Wed, 17 Nov 2004 20:20:22 -0500 
On Tue, 2004-11-16 at 14:59, Joe Grinnell wrote:


11/16/2004 03:05:46.816 - Fragmented Packet Dropped - Source:
83.102.166.24, 17, WAN - Destination: XXX.XXX.XXX.XXX, DMZ - Protocol:
17 -

11/16/2004 03:08:46.816 - Fragmented Packet Dropped - Source:
83.102.166.53, 17, WAN - Destination: XXX.XXX.XXX.XXX, DMZ - Protocol:
17 -


Its fragmented UDP traffic, but I'm afraid that does not tell you a
whole lot. There is no port number info to work with, so I'm guessing
this is a non-first fragment. Kind of hard to tell what's up based on
the limited info.

First thing to ask yourself is "Do I offer a UDP based service on the
target system?". If not, this may be malicious. If the target is a name
server this is still probably malicious as UDP based DNS is limited to
512 bytes in size which is small enough that it would probably not need
to get fragmented. 

If you are really interested in what's going on, you'll have to hook up
a sniffer. Something with a filter that captures all traffic to and from
this host should do the trick. As for info on the source, I've included
that at the end of this e-mail.

HTH,
Chris


***************************************

cbrenton@grendel:~> host 83.102.166.53
Host 53.166.102.83.in-addr.arpa not found: 3(NXDOMAIN)
cbrenton@grendel:~> whois -h whois.ripe.net 83.102.166.53
% This is the RIPE Whois tertiary server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum:      83.102.166.0 - 83.102.166.255
netname:      CORBINA-TECHPRO
descr:        Techpro Company
country:      RU
admin-c:      CORB1-RIPE
tech-c:       CORB1-RIPE
status:       ASSIGNED PA
notify:       noc@corbina.net
mnt-by:       RU-CORBINA-MNT
changed:      pvr@corbina.net 20040823
source:       RIPE

route:        83.102.128.0/17
descr:        RU-CORBINA BLOCK #4
origin:       AS8402
mnt-by:       RU-CORBINA-MNT
changed:      pvr@corbina.net 20040302
source:       RIPE
notify:       noc@corbina.net

role:         CORBINA TELECOM Network Operations
address:      CORBINA TELECOM/Internet Network Operations
address:      Ryazanskii pr. 30/15
address:      Moscow, Russia
address:      109428
phone:        +7 095 728 4000
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Fragmented Packet, David Gillett
Next by Date:  RE: Fragmented Packet, Shane Mahon
Previous by Thread:  RE: Fragmented Packet, David Gillett
Next by Thread:  Re: Fragmented Packet, Martin Mačok
Indexes:  [Date] [Thread] [Top] [All Lists]