Hey folks! Two days ago I set up a firewall box (SuSE 6.1, 2.2.10, ipchains, masquerading) connected to my offline intranet. I have another NIC in this box using a DHCP-supplied IP addy from my provider. This second NIC is to a semi=permanent xDSL connection. I have IP_ALWAYS_DEFRAG enabled in the kernel, along with all the masquerading stuff, firewall stuff, etc. I do not run inetd, and all my ports are blocked except those required for HTTP and DHCPClient. I do not run X. Basically, the box is pretty tight. I can only get into the firewall via SSH from my LAN. I do not route any outside service requests into the intranet. There are no accounts on the firewall other than the root account. It is used for nothing more than a firewall/masquerade box. Attached are the relevant entries from my /var/log/messages regarding "bogus packet size." Eth1 is my connection to the net, from which the packets are coming. Eth0 (not listed) is my NIC to my intranet. Has anyone seen this kind of thing before?!? I'm wondering if this is some type of attack on the masquerading defragment bug. Note the receipt times of the packets. Almost all of them are from around 14:20 and 16:33. I've never seen anything like this. Is this an attack or natural phenomenon? I have had the same DHCP assigned public IP address for a couple days now (both xDSL modem and firewall online), so someone port scanning should be able to find me. Also, I found nothing else out of the ordinary in the logs. Just my cron jobs and every 30 minutes the DHCP stuff. Suggestions?!? -- mailto:scott.mceachern@sympatico.ca On the side of the software box, in the "System requirements section", it said "Requires Windows 95 or better." So I installed Linux. Aug 17 12:57:06 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x7a. Aug 17 14:18:09 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x55. Aug 17 14:18:09 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x56. Aug 17 14:18:11 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x57. Aug 17 14:18:15 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x58. Aug 17 14:22:50 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x60. Aug 17 14:55:33 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x68. Aug 17 16:33:09 firewall kernel: eth1: bogus packet size: 7, status=0x21 nxpg=0x4d. Aug 17 16:33:09 firewall kernel: eth1: bogus packet size: 7, status=0x21 nxpg=0x4e. Aug 17 16:33:09 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x4f. Aug 17 16:33:09 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x50. Aug 17 16:33:09 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x51. Aug 17 16:33:09 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x52. Aug 17 16:33:14 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x53. Aug 17 16:33:19 firewall kernel: eth1: bogus packet size: 7, status=0x21 nxpg=0x54. Aug 17 16:33:20 firewall kernel: eth1: bogus packet size: 7, status=0x21 nxpg=0x55. Aug 17 16:33:20 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x56. Aug 17 16:33:20 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x57. Aug 17 16:33:20 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x58. Aug 17 16:33:21 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x59. Aug 17 16:33:21 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x5a. Aug 17 16:33:25 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x5b. Aug 17 16:37:54 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x76. Aug 17 16:37:55 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x77. Aug 17 19:04:24 firewall kernel: eth1: bogus packet size: 6, status=0x1 nxpg=0x4f. Aug 17 19:04:25 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x50. Aug 17 19:04:25 firewall kernel: eth1: bogus packet size: 7, status=0x1 nxpg=0x51. Aug 17 19:04:26 firewall kernel: eth1: bogus packet size: 6, status=0x21 nxpg=0x52. Aug 17 19:04:31 firewall kernel: eth1: bogus packet size: 7, status=0x21 nxpg=0x53. Aug 17 19:04:32 firewall kernel: eth1: bogus packet size: 7, status=0x21 nxpg=0x54. Aug 17 19:04:43 firewall kernel: eth1: bogus packet size: 7, status=0x21 nxpg=0x55.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Do an ipchains listing. That should show you _IF_ you might have errors in your rules. - -- Moonshi Mohsenruddin moonshi@linux.com.sg Singapore icq:2595480 http://www.linux.com.sg
-----Original Message----- From: scottm@smtp11.bellglobal.com [mailto:scottm@smtp11.bellglobal.com]On Behalf Of Scott McEachern Sent: Wednesday, August 18, 1999 10:31 AM To: suse-security@suse.com Subject: [suse-security] Oddball log entry...
Hey folks! Two days ago I set up a firewall box (SuSE 6.1, 2.2.10, ipchains, masquerading) connected to my offline intranet. I have another NIC in this box using a DHCP-supplied IP addy from my provider. This second NIC is to a semi=permanent xDSL connection. I have IP_ALWAYS_DEFRAG enabled in the kernel, along with all the masquerading stuff, firewall stuff, etc. I do not run inetd, and all my ports are blocked except those required for HTTP and DHCPClient. I do not run X. Basically, the box is pretty tight. I can only get into the firewall via SSH from my LAN. I do not route any outside service requests into the intranet. There are no accounts on the firewall other than the root account. It is used for nothing more than a firewall/masquerade box. Attached are the relevant entries from my /var/log/messages regarding "bogus packet size." Eth1 is my connection to the net, from which the packets are coming. Eth0 (not listed) is my NIC to my intranet. Has anyone seen this kind of thing before?!? I'm wondering if this is some type of attack on the masquerading defragment bug. Note the receipt times of the packets. Almost all of them are from around 14:20 and 16:33. I've never seen anything like this. Is this an attack or natural phenomenon? I have had the same DHCP assigned public IP address for a couple days now (both xDSL modem and firewall online), so someone port scanning should be able to find me. Also, I found nothing else out of the ordinary in the logs. Just my cron jobs and every 30 minutes the DHCP stuff. Suggestions?!?
-- mailto:scott.mceachern@sympatico.ca
On the side of the software box, in the "System requirements section", it said "Requires Windows 95 or better." So I installed Linux.
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBN7nFUGefe0TVuy5lEQImmQCeLGdUAIl10WuMHM35+c6Lqk9sXCUAn0NP 3r71a/UjzCGReWkx6c1s3lKR =QkC2 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Do an ipchains listing. That should show you _IF_ you might have errors in your rules. - -- Moonshi Mohsenruddin moonshi@linux.com.sg Singapore icq:2595480 http://www.linux.com.sg
-----Original Message----- From: scottm@smtp11.bellglobal.com [mailto:scottm@smtp11.bellglobal.com]On Behalf Of Scott McEachern Sent: Wednesday, August 18, 1999 10:31 AM To: suse-security@suse.com Subject: [suse-security] Oddball log entry...
Hey folks! Two days ago I set up a firewall box (SuSE 6.1, 2.2.10, ipchains, masquerading) connected to my offline intranet. I have another NIC in this box using a DHCP-supplied IP addy from my provider. This second NIC is to a semi=permanent xDSL connection. I have IP_ALWAYS_DEFRAG enabled in the kernel, along with all the masquerading stuff, firewall stuff, etc. I do not run inetd, and all my ports are blocked except those required for HTTP and DHCPClient. I do not run X. Basically, the box is pretty tight. I can only get into the firewall via SSH from my LAN. I do not route any outside service requests into the intranet. There are no accounts on the firewall other than the root account. It is used for nothing more than a firewall/masquerade box. Attached are the relevant entries from my /var/log/messages regarding "bogus packet size." Eth1 is my connection to the net, from which the packets are coming. Eth0 (not listed) is my NIC to my intranet. Has anyone seen this kind of thing before?!? I'm wondering if this is some type of attack on the masquerading defragment bug. Note the receipt times of the packets. Almost all of them are from around 14:20 and 16:33. I've never seen anything like this. Is this an attack or natural phenomenon? I have had the same DHCP assigned public IP address for a couple days now (both xDSL modem and firewall online), so someone port scanning should be able to find me. Also, I found nothing else out of the ordinary in the logs. Just my cron jobs and every 30 minutes the DHCP stuff. Suggestions?!?
-- mailto:scott.mceachern@sympatico.ca
On the side of the software box, in the "System requirements section", it said "Requires Windows 95 or better." So I installed Linux.
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBN7nFUGefe0TVuy5lEQImmQCeLGdUAIl10WuMHM35+c6Lqk9sXCUAn0NP 3r71a/UjzCGReWkx6c1s3lKR =QkC2 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Do an ipchains listing. That should show you _IF_ you might have errors in your rules. - -- Moonshi Mohsenruddin moonshi@linux.com.sg Singapore icq:2595480 http://www.linux.com.sg
-----Original Message----- From: scottm@smtp11.bellglobal.com [mailto:scottm@smtp11.bellglobal.com]On Behalf Of Scott McEachern Sent: Wednesday, August 18, 1999 10:31 AM To: suse-security@suse.com Subject: [suse-security] Oddball log entry...
Hey folks! Two days ago I set up a firewall box (SuSE 6.1, 2.2.10, ipchains, masquerading) connected to my offline intranet. I have another NIC in this box using a DHCP-supplied IP addy from my provider. This second NIC is to a semi=permanent xDSL connection. I have IP_ALWAYS_DEFRAG enabled in the kernel, along with all the masquerading stuff, firewall stuff, etc. I do not run inetd, and all my ports are blocked except those required for HTTP and DHCPClient. I do not run X. Basically, the box is pretty tight. I can only get into the firewall via SSH from my LAN. I do not route any outside service requests into the intranet. There are no accounts on the firewall other than the root account. It is used for nothing more than a firewall/masquerade box. Attached are the relevant entries from my /var/log/messages regarding "bogus packet size." Eth1 is my connection to the net, from which the packets are coming. Eth0 (not listed) is my NIC to my intranet. Has anyone seen this kind of thing before?!? I'm wondering if this is some type of attack on the masquerading defragment bug. Note the receipt times of the packets. Almost all of them are from around 14:20 and 16:33. I've never seen anything like this. Is this an attack or natural phenomenon? I have had the same DHCP assigned public IP address for a couple days now (both xDSL modem and firewall online), so someone port scanning should be able to find me. Also, I found nothing else out of the ordinary in the logs. Just my cron jobs and every 30 minutes the DHCP stuff. Suggestions?!?
-- mailto:scott.mceachern@sympatico.ca
On the side of the software box, in the "System requirements section", it said "Requires Windows 95 or better." So I installed Linux.
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBN7nFUGefe0TVuy5lEQImmQCeLGdUAIl10WuMHM35+c6Lqk9sXCUAn0NP 3r71a/UjzCGReWkx6c1s3lKR =QkC2 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Do an ipchains listing. That should show you _IF_ you might have errors in your rules. - -- Moonshi Mohsenruddin moonshi@linux.com.sg Singapore icq:2595480 http://www.linux.com.sg
-----Original Message----- From: scottm@smtp11.bellglobal.com [mailto:scottm@smtp11.bellglobal.com]On Behalf Of Scott McEachern Sent: Wednesday, August 18, 1999 10:31 AM To: suse-security@suse.com Subject: [suse-security] Oddball log entry...
Hey folks! Two days ago I set up a firewall box (SuSE 6.1, 2.2.10, ipchains, masquerading) connected to my offline intranet. I have another NIC in this box using a DHCP-supplied IP addy from my provider. This second NIC is to a semi=permanent xDSL connection. I have IP_ALWAYS_DEFRAG enabled in the kernel, along with all the masquerading stuff, firewall stuff, etc. I do not run inetd, and all my ports are blocked except those required for HTTP and DHCPClient. I do not run X. Basically, the box is pretty tight. I can only get into the firewall via SSH from my LAN. I do not route any outside service requests into the intranet. There are no accounts on the firewall other than the root account. It is used for nothing more than a firewall/masquerade box. Attached are the relevant entries from my /var/log/messages regarding "bogus packet size." Eth1 is my connection to the net, from which the packets are coming. Eth0 (not listed) is my NIC to my intranet. Has anyone seen this kind of thing before?!? I'm wondering if this is some type of attack on the masquerading defragment bug. Note the receipt times of the packets. Almost all of them are from around 14:20 and 16:33. I've never seen anything like this. Is this an attack or natural phenomenon? I have had the same DHCP assigned public IP address for a couple days now (both xDSL modem and firewall online), so someone port scanning should be able to find me. Also, I found nothing else out of the ordinary in the logs. Just my cron jobs and every 30 minutes the DHCP stuff. Suggestions?!?
-- mailto:scott.mceachern@sympatico.ca
On the side of the software box, in the "System requirements section", it said "Requires Windows 95 or better." So I installed Linux.
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBN7nFUGefe0TVuy5lEQImmQCeLGdUAIl10WuMHM35+c6Lqk9sXCUAn0NP 3r71a/UjzCGReWkx6c1s3lKR =QkC2 -----END PGP SIGNATURE-----
participants (2)
-
Moonshi Mohsenruddin -
Scott McEachern