|
-
March 27th, 2005, 06:42 PM
#1
Junior Member
 Invalid Packets?
Hi, I have a few questions.
Ok, I have a linksys router with a built in firewall and when I check the logs I typically see this:
2005-03-27 11:13:30 @in 4982/TCP from 2xx.4x.2xx.xx:80 to 192.168.1.101:4982 Invalid TCP packet received, dropping packet
How exactly does the router know which packets are invalid and which aren't? What constitutes an invalid packet? Does anyone know the rule list (I guess that's what it's called) that the linksys router is using to determine which are packets are suitable and which are not?
Any info is welcome. Please excuse my ignorance. 
-
March 28th, 2005, 01:23 AM
#2
192.168.x.x is a 'private' number.
It doesn't go out into the wild, and if it does, it gets dropped by the first router that sees it.
There are a lot of books out there that you might want to peruse for info, and there are a lot of tutorials here on AO.
Learn to read till your eyes bleed 
basic TCP tuts
subnetting
various other tuts
And as it's your first post ...............
Welcome to AO.
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
March 28th, 2005, 04:00 AM
#3
Good Evening,
How exactly does the router know which packets are invalid and which aren't?
Well as foxyloxley has indicated, study! Learn every facet of your router. What goes in, what goes out, how that is determined, routing protocols and routed protocols etc.
But in the mean time to wet your whistle and give you a taste of what you could be getting into; one way is by Access Lists and here’s a sample:
IP Standard Access List, IP Extended Access List, IPX SAP Access List, 48-bit MAC Address Access List, Extended 48-bit MAC Address Access List, IPX Summary Address List, Protocol Type-Code Access List, DECnet Access List, XNS Standard Access List, XNS Extended Access List, Appletalk Access List, IPX Standard Access List, and IPX Extended Access List.
Of course there are default settings, but you can create you own access lists. In which you would specify what to deny (reject) and permit (forward) and this can be accomplished by Hostnames, IP Address, MAC Address, etc. Additionally you can use Wildcards with your Access Lists to specify a network, host, or any part thereof.
Particularly on your Linksys you should be able to Filter by IP Address Range, Filter by Port Range, Filter by MAC Addresses, and your Router should support: IPSec Passthrough, PPPoE Passthrough, and PPTP Passthrough; all within your VPN Section of your Security Tab on the Main Menu.
Additionally under the Filter MAC Address you should see: Block Anonymous Internet Requests, Filter Multicasts, Filter Internet NAT Redirection, and Filter IDENT (Port 113).
Now if it is a Wireless Linksys under Wireless Security you will also see another section for Wireless Network Access. The Choices will most likely be: Allow All or Restrict Access. The advantages are obvious. Only allow known MAC Addresses by clicking on Restrict Access and then add the MAC Addresses of those you wish to allow access to your network.
Well this should get you started and hopefully this doesn’t scare you off, but it does require a lot of studying.
Cheers.
Connection refused, try again later.
-
March 28th, 2005, 10:56 AM
#4
Hi @---@
Quite some study has been assigned to you ... May the force be with you 
The general part of your question has been thoroughly answered.
But I will try an educated guess on your specific log-excerpt.
2005-03-27 11:13:30 @in 4982/TCP from 2xx.4x.2xx.xx:80 to 192.168.1.101:4982 Invalid TCP packet received, dropping packet
This looks like a http (website) packet coming from 2xx.4x.2xx.xxx to your PC, which has the
internal IP number 192.168.1.101. The internal number might not be a problem, because it
could be that the router first translates the NAT(*) entry back to the internal destination,
before writing the log entry (makes sense?)
The Invalid TCP packet refers with very high probabilty to a TCP packet with an invalid
checksum in the header (the checksum is kind of consistency check of the transmission).
The invalidity might have, simply put, two reasons: A badly forged TCP packet (eg spoofed),
or some error in the transmission (?).
(*) The only IP number, which can be seen from "outside" should be your external IP
number. In order to enable an internal network, routers use the NAT procedure[1]
Cheers.
[1] http://www.antionline.com/showthread...r=1#post815380
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
March 29th, 2005, 11:02 AM
#5
Q: Which packets are invalid?
A: Those packets are invalid which are not valid. Hehehe. Just Kidding 
There are many ways, packets can be called invalid. One of them is in this case :-
As you might or might not be knowing that packets have an OFFSET field in their TCP header part. There may be some curruption in OFFSET ( see the eg below )
### --> 1 Data packet
Normally, a system/router recieves data packets in the following form, with no overlapping Offset values.
-------###--------------------###--------------------------###
(1 to 1500 bytes) (1501 to 3000 bytes) (3001 to 4500 bytes)
and in your case they may have come in the following way :
-------###--------------------###--------------------------###
(1 to 1500 bytes) ( 1400 to 3000 bytes) (2001 to 3600 byes).
(NOTE: hyphens used are just for clarity)
Guess what? This is more or less called the Teardrop attack.
Cheers..........
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
