Norton IDS

Printable View

February 26th, 2003, 04:06 PM
Penguin

Norton IDS

Details: Intrusion: Invalid IP Flags
Intruder: 80.14.236.194
Risk Level: Low
Source IP address: 80.14.236.194
Destination IP address: michael(203.125.127.251)
Protocol: TCP.
IP Flags and Fragment Offset: 0x00009813. This field is invalid.

Click on the address to trace the attacker
You can get detailed information about this attack at Symantec Security Response

what is Invalid IP Flags?what is the threat?
February 26th, 2003, 04:09 PM
ammo

Well, we can't really tell without the rest of the stream/datagram since those field are relative to the other packets...

Ammo
February 26th, 2003, 05:18 PM
Penguin

Quote:

Originally posted here by ammo
Well, we can't really tell without the rest of the stream/datagram since those field are relative to the other packets...

Ammo

what could be the threat?how can this Invalid IP help in penetrating my PC?
February 26th, 2003, 05:40 PM
ammo

Hum, on second look, I'm not sure what they mean with
"IP Flags and Fragment Offset: 0x00009813"...
Do they offer any details somewhere in th doc/help?

Ammo
February 27th, 2003, 02:16 AM
Penguin

Quote:

Originally posted here by ammo
Hum, on second look, I'm not sure what they mean with
"IP Flags and Fragment Offset: 0x00009813"...
Do they offer any details somewhere in th doc/help?

Ammo

then i think norton didnt log it very well...
February 27th, 2003, 02:41 AM
don

Normally invalid ip flags are an illegal combination of tcp flags which are set in the 13th byte
of the tcp header. The first two bits of the byte used to reserved but are now used for congestion management. The other 6 bits are used for your flags ie: syn/fin/ack/rst/psh/urg For example if you send a packet with the syn and fin flags set that would be an invalid flag combination.
February 27th, 2003, 05:07 PM
Penguin

is it a critical attack?
February 27th, 2003, 06:25 PM
don

Nah this is an old hack. Any ids system worth it's salt ie: Blackice amongst others will pick this
up all the time. Only of concern if you were running services on an unprotected box.
February 28th, 2003, 02:34 PM
Penguin

Quote:

Originally posted here by don
Nah this is an old hack. Any ids system worth it's salt ie: Blackice amongst others will pick this
up all the time. Only of concern if you were running services on an unprotected box.

i wish to understand how it can compromise my system?what kind of service the unprotected box must be running?

All times are GMT +1. The time now is 07:10 PM.