On Wed, 6 Sep 2000 cider_at_SPEAKEASY.ORG wrote:
> hi,
>
> from time to time I see very small tcp fragments with source and
> destination port == 0, no payload, no options, and both DF and MF bits
> set. these are frequently from IP addresses which have established
> legitimate tcp connections (usually to port 80 or 443) to hosts on my
> network, and there are usually only one or two of these fragments per
> source. because of the lack of any real information in these fragments,
> i'm suspecting misbehaving networking equipment rather than malicious
> activity - though it did occur to me that they may be some kind of "packet
> of death" for a particular operating system. anyone else familiar with /
> see these packets? they seem to originate mostly from european address
> space, though there have been a few US-generated fragments as well.
>
in the last few weeks, i have seen two or three similar packets:
-- snip -- (times are PDT, UTC -0700)
Aug 28 03:12:36 spindle kernel: Packet log: ltraf REJECT eth0 PROTO=6
client.ip.was.here:3389 my.ip.was.here:0 L=40 S=0x00 I=22997 F=0x4000
T=119 (#11)
-- snip --
what is more interesting is that i got a portmapper scan from the same ip
the day before.
--
______________________________________________
| "the whole scale of cosmic dimensions are falling from my mouth
| in the description of a kiss of the interimlovers"
| - einsturzende neubaten, "interim"
Received on Sep 07 2000
Intro
