Results 1 to 5 of 5

Thread: Invalid Packets?

  1. #1
    Junior Member
    Join Date
    Mar 2005

    Question Invalid Packets?

    Hi, I have a few questions.

    Ok, I have a linksys router with a built in firewall and when I check the logs I typically see this:

    2005-03-27 11:13:30 @in 4982/TCP from 2xx.4x.2xx.xx:80 to Invalid TCP packet received, dropping packet
    How exactly does the router know which packets are invalid and which aren't? What constitutes an invalid packet? Does anyone know the rule list (I guess that's what it's called) that the linksys router is using to determine which are packets are suitable and which are not?

    Any info is welcome. Please excuse my ignorance.

  2. #2
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    3rd Rock from Sun
    192.168.x.x is a 'private' number.
    It doesn't go out into the wild, and if it does, it gets dropped by the first router that sees it.

    There are a lot of books out there that you might want to peruse for info, and there are a lot of tutorials here on AO.

    Learn to read till your eyes bleed

    basic TCP tuts


    various other tuts

    And as it's your first post ...............
    Welcome to AO.
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  3. #3
    Senior Member
    Join Date
    Dec 2003
    Pacific Northwest
    Good Evening,

    How exactly does the router know which packets are invalid and which aren't?
    Well as foxyloxley has indicated, study! Learn every facet of your router. What goes in, what goes out, how that is determined, routing protocols and routed protocols etc.

    But in the mean time to wet your whistle and give you a taste of what you could be getting into; one way is by Access Lists and here’s a sample:

    IP Standard Access List, IP Extended Access List, IPX SAP Access List, 48-bit MAC Address Access List, Extended 48-bit MAC Address Access List, IPX Summary Address List, Protocol Type-Code Access List, DECnet Access List, XNS Standard Access List, XNS Extended Access List, Appletalk Access List, IPX Standard Access List, and IPX Extended Access List.

    Of course there are default settings, but you can create you own access lists. In which you would specify what to deny (reject) and permit (forward) and this can be accomplished by Hostnames, IP Address, MAC Address, etc. Additionally you can use Wildcards with your Access Lists to specify a network, host, or any part thereof.

    Particularly on your Linksys you should be able to Filter by IP Address Range, Filter by Port Range, Filter by MAC Addresses, and your Router should support: IPSec Passthrough, PPPoE Passthrough, and PPTP Passthrough; all within your VPN Section of your Security Tab on the Main Menu.

    Additionally under the Filter MAC Address you should see: Block Anonymous Internet Requests, Filter Multicasts, Filter Internet NAT Redirection, and Filter IDENT (Port 113).

    Now if it is a Wireless Linksys under Wireless Security you will also see another section for Wireless Network Access. The Choices will most likely be: Allow All or Restrict Access. The advantages are obvious. Only allow known MAC Addresses by clicking on Restrict Access and then add the MAC Addresses of those you wish to allow access to your network.

    Well this should get you started and hopefully this doesn’t scare you off, but it does require a lot of studying.

    Connection refused, try again later.

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Hi @---@

    Quite some study has been assigned to you ... May the force be with you

    The general part of your question has been thoroughly answered.
    But I will try an educated guess on your specific log-excerpt.

    2005-03-27 11:13:30 @in 4982/TCP from 2xx.4x.2xx.xx:80 to Invalid TCP packet received, dropping packet
    This looks like a http (website) packet coming from 2xx.4x.2xx.xxx to your PC, which has the
    internal IP number The internal number might not be a problem, because it
    could be that the router first translates the NAT(*) entry back to the internal destination,
    before writing the log entry (makes sense?)

    The Invalid TCP packet refers with very high probabilty to a TCP packet with an invalid
    in the header (the checksum is kind of consistency check of the transmission).
    The invalidity might have, simply put, two reasons: A badly forged TCP packet (eg spoofed),
    or some error in the transmission (?).

    (*) The only IP number, which can be seen from "outside" should be your external IP
    number. In order to enable an internal network, routers use the NAT procedure[1]


    [1] http://www.antionline.com/showthread...r=1#post815380
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  5. #5
    Senior Member
    Join Date
    Mar 2005
    Q: Which packets are invalid?
    A: Those packets are invalid which are not valid. Hehehe. Just Kidding

    There are many ways, packets can be called invalid. One of them is in this case :-

    As you might or might not be knowing that packets have an OFFSET field in their TCP header part. There may be some curruption in OFFSET ( see the eg below )

    ### --> 1 Data packet

    Normally, a system/router recieves data packets in the following form, with no overlapping Offset values.

    (1 to 1500 bytes) (1501 to 3000 bytes) (3001 to 4500 bytes)

    and in your case they may have come in the following way :

    (1 to 1500 bytes) ( 1400 to 3000 bytes) (2001 to 3600 byes).

    (NOTE: hyphens used are just for clarity)

    Guess what? This is more or less called the Teardrop attack.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts