I've been looking for information on some suspicious traffic
we've been seeing targeted at one of our internal boxes. My gut
tells me it's a covert channel.
Access from the outside to the trageted box is blocked by
the firewall, but I occassionally see attempts by other various
hosts (usually originating from residential broadband users)
to communicate with the same target box anyway. The traffic
alarms my "outside interface" IDS sensor as a "IP Fragment
Overwrite - Data is Overwritten" meaning that:
[snip]
This signature fires upon detecting an IP fragment that overlaps a previous
fragment.
This behavior is consistent with the 'Ping of Death'.
Overlapping fragments may be also used in an attempt to bypass Intrusion
Detection Systems. In this scenario, part of an attack is sent in fragments
along with additional random data; future fragments may overwrite the random
data with the remainder of the attack. If the completed datagram is not
properly reassembled at the IDS, the attack will go undetected. Triggers when a
fragment overlap occurs which results in existing data being overwritten.
[snip]
Source and destination port is 16191.
Any ideas? I can probably get a trace, but I thought I
would ask the list first..
Thanks,
- ferg
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg@netzero.net or fergdawg@sbcglobal.net
ferg's tech blog: http://fergdawg.blogspot.com/
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
