Incomplete / Corrupt Packets...

[tampabay420]

Can incomplete / corrupt packets be used in a malicous manner?

Friend of mine is a Kazaa junkie- runs some win-firewall. Keeps getting logs:: "incomplete packet". There are tons of them- Not sure if it's actually affecting the network or not?

[mmelby]

Yes. Fragmented packets can be an exploit. There is a database of expliots in this thread.

http://www.antionline.com/showthread...hreadid=235369

[nebulus200]

Potentially. There were many bugs in the Microsoft implementation of the TCP/IP stack that would cause reboots (think ping of death), blue screens, and crashes due to exceptional conditions (in previous case ICMP packets > 65535 bytes, (this has long since been fixed)).

Keep in mind that corrupt packets can be caused by malfunctioning network equipment, servers, errors, etc, and are not necessarily to result of malicious activity. In the case of an 'incomplete packet' I would say reference your firewall manual/documentation for more information, this is a very ambiguous description. If I had to guess i would say that either some packets were very fragmented and you didn't get them all, or that a packet said it was a certain size but it wasn't.

I would definitely look a little harder at it, maybe use something like ethereal to get a few packet dumps and see if you can't tell exactly what is causing the error to be reported (or you could sanitize the output (remove usernames/passwords/ips), and post it here, I am sure someone would be able to help you (if for some reason I was clueless).

/nebulus

[tampabay420]

I still don't understand the AntiPoints Sys?

Thanx for the help- I'll have to look further into this...