[nsp-sec] Odd packets from 255.127.0.0
SURFcert - Peter
p.g.m.peters at utwente.nl
Mon Oct 6 13:18:11 EDT 2014
Bill Owens wrote on 2014-10-06 17:47:
> ----------- nsp-security Confidential --------
>
> Also, these packets look awfully familiar:
>
> https://isc.sans.edu/forums/diary/More+Bad+Port+0+Traffic/17102
We got a complaint from a Cisco ASA user who has been seeing things like
this from a dozen different networks since yesterday 22:58 (UTC+2).
Oct 5 22:58:45 fw-@@@@@ :Oct 05 22:58:45 MET: %ASA-session-5-500003:
Bad TCP hdr length (hdrlen=56, pktlen=78) from 8.2.3.5/0 to 1.1.2.1/0,
flags: FIN SYN RST PSH ACK , on interface outside
(IP addresses changed)
The pktlen is almost always 78 and the hdrlen varies from 0 to some
number under 78. Also the flags show all kinds of wierd combinations or
even INVALID.
Some documentation mentions the 5-500003 error as normal traffic. Others
attribute it to faulty wiring.
--
Peter Peters /------\ SURFnet bv
SURFcert | SURF | cert.surfnet.nl
cert at surfnet.nl \-----\ \-----\ Postbus 19035
PGP Key ID 0x5A52C966 | CERT | NL-3501 DA Utrecht
+31 30 2305 305 \------/ fax: +31 30 2305 329
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20141006/7cccc029/attachment-0001.sig>
More information about the nsp-security
mailing list