streams of fragments...

[Russell Fulton <r.fulton () auckland ac nz>]

For some time now snort has been logging 'Tiny Fragments' coming from 
several different addresses.  Here is a sample:

Packet 1
TIME:   10:04:55.405457
LINK:   00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP
  IP:   62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D09
        MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE6E
 TCP:   port 0 -> 0 seq=0000000000 ack=0000000000
        hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=50A9 urg=59666
DATA:   <No data>
---------------------------------------------------------------------------
Packet 2
TIME:   10:04:55.481006 (0.075549)
LINK:   00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP
  IP:   62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D12
        MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE65
 TCP:   port 0 -> 0 seq=0000000000 ack=0000000000
        hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=0F59 urg=30577
DATA:   <No data>

Note More Fragments and Don't fragment are both set to 1??

The packets arrive in pairs, both to the same destination address.

Some sources send packets to just one destination others send them
to many.

When I look in the argus logs I see a single RST packet and argus does
not report that it was fragmented.

Any idea what is going on?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com