Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Source port 0 and from a 0 network to boot?

from [Valdis . Kletnieks] Network Security [Permanent Link]
Subject: Re: Source port 0 and from a 0 network to boot?
Date: Fri, 10 Jun 2005 23:09:13 -0400 
the network.  The PC will be shipped to us from our remote office but
in the mean time does anyone recognize this traffic?  I'm curious
about the spoofed source addresses, 0.x.x.x.  They appear random,
other then the first octet being 0, but this PC choked an internal
router with 50MB of traffic


Just as a totally shot-in-the-dark, is it possible that the IP
packets in question contain IP options or similar weirdness, and
your Dragon sensor misinterpreted the packet?  I've seen more than one
tool that blindly assumed that an IP header is 40 bytes, and started
decoding the TCP header 40 bytes in, no matter what.  Botched decodes
of the "returned packet header" in an ICMP seem to be pretty popular as
well.

Of course, sometimes the malware programmers are the ones that botch
things - stuff like using your own custom structure definitions that
don't match reality, leaving out a field, and all your crafted packets
go out the door busticated.   (They'd have to try hard to botch that in
this case - source addr/port aren't adjacent...)

If feasible, try trapping the traffic with Ethereal or tcpdump or other
tool, and see if it agrees that there's zeros in the source port and
the first byte of the source addr...

Attachment: pgptXfffbGsjH.pgp
Description: PGP signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Source port 0 and from a 0 network to boot?, kurt
Next by Date:  Re: Source port 0 and from a 0 network to boot?, junkma1l
Previous by Thread:  Source port 0 and from a 0 network to boot?, kurt
Next by Thread:  Re: Source port 0 and from a 0 network to boot?, junkma1l
Indexes:  [Date] [Thread] [Top] [All Lists]