Security Incidents: Re: PIX Question

[Shawn Davenport <shawn.davenport () CURRENEX COM>]

It refers to the IP Options field of the IP header. The field is 40bytes max
in length. 14 is listed as experimental access control on
http://www.isi.edu/in-notes/iana/assignments/ip-parameters . For the most
part options are very rarely used and I would be cautious of packets coming
in using ANY options!

In regards to the possibility of someone trying to mapping your network, I
would say the chances are good. Some of the more interesting IP options such
as lose and strict source routing can help provide a wealth of information
regarding network topology.

Hope that help!

Shawn


-----Original Message-----
From: Miller, Dan [mailto:dmiller () MICROTHERAPEUTICS COM]
Sent: Tuesday, October 31, 2000 11:05 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: PIX Question

I  am a 'newbie' to Security and have been a voyeur to this list-server
for a while - plus the 'education' - so please be gentle...

Recently the following message has been picked up at our PIX firewall:

     106012:Deny IP from 0.0.0.0 to 161.58.250.155, IP options: "0x14"

My question is what is an 'IP Option 0x14' ?

Just from the outside IP address I assume this to be some kind of
attempt to map or penetrate the network perimeter...
Any other opinions?

Thank you in advance.
Daniel Miller
IT Manager
Micro Therapeutics, Inc.


*******************************************************************
The information contained in this message or any of its attachments
should be considered privileged and confidential unless explicitly
indicated otherwise, and is intended for the exclusive use of the
addressee.  Any disclosure, reproduction, distribution or other
dissemination or use of this communication is strictly prohibited
unless explicitly indicated otherwise.

If you received this message in error, please reply to the sender
and destroy the communication immediately.
*******************************************************************