|
-
March 28th, 2003, 04:03 AM
#1
Legit Fragmented IP Traffic?
I have just been presented with something I have not seen before. I work in the Network Operations Control Center. Or NOC. Anyways, most of the DOS attacks I see from day to day are pretty easy to tell if a packet is malicious or not. However, the meanest packet to date has seemed to be the Fragmented IP. For a while I thought this "Fragmented Protocal" was entirely malicious, with no legit use. However, this is obviously not the case. I noticed a high packets per second on one of our routers interfaces and decided to capture the traffic to see what it was. This is what the capture looked like
This appears to be LEGIT IP Fragmented Protocol traffic.(not an attack). You can see NFS V3 WRITE Call\Reply XID is in the middle, does some IP Frag, and then does NFS again. If anybody has any information on NFS or what the hell is going on here, please respond. Thanks for everything Antionline.
1 2003-03-25 09:18:42.9564 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
3 2003-03-25 09:18:42.9567 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
6 2003-03-25 09:18:42.9570 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
10 2003-03-25 09:18:42.9572 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
11 2003-03-25 09:18:42.9573 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
12 2003-03-25 09:18:42.9574 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0x9bb78aef[Unreassembled Packet]
25 2003-03-25 09:18:42.9581 207.44.154.82 -> 207.44.132.80 NFS V3 WRITE Reply XID 0x9bb78aef
36 2003-03-25 09:18:42.9587 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
39 2003-03-25 09:18:42.9589 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
42 2003-03-25 09:18:42.9591 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
45 2003-03-25 09:18:42.9593 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
48 2003-03-25 09:18:42.9596 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
51 2003-03-25 09:18:42.9598 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0x9cb78aef[Unreassembled Packet]
65 2003-03-25 09:18:42.9605 207.44.154.82 -> 207.44.132.80 NFS V3 WRITE Reply XID 0x9cb78aef
71 2003-03-25 09:18:42.9607 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
73 2003-03-25 09:18:42.9609 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
84 2003-03-25 09:18:42.9612 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
86 2003-03-25 09:18:42.9614 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
87 2003-03-25 09:18:42.9615 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
88 2003-03-25 09:18:42.9616 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0x9db78aef[Unreassembled Packet]
102 2003-03-25 09:18:42.9624 207.44.154.82 -> 207.44.132.80 NFS V3 WRITE Reply XID 0x9db78aef
114 2003-03-25 09:18:42.9631 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
117 2003-03-25 09:18:42.9632 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
119 2003-03-25 09:18:42.9633 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
127 2003-03-25 09:18:42.9638 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
128 2003-03-25 09:18:42.9640 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
131 2003-03-25 09:18:42.9642 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0x9eb78aef[Unreassembled Packet]
146 2003-03-25 09:18:42.9650 207.44.154.82 -> 207.44.132.80 NFS V3 WRITE Reply XID 0x9eb78aef
157 2003-03-25 09:18:42.9656 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
160 2003-03-25 09:18:42.9659 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
163 2003-03-25 09:18:42.9660 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
165 2003-03-25 09:18:42.9661 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
168 2003-03-25 09:18:42.9664 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
172 2003-03-25 09:18:42.9666 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0x9fb78aef[Unreassembled Packet]
180 2003-03-25 09:18:42.9672 207.44.154.82 -> 207.44.132.80 NFS V3 WRITE Reply XID 0x9fb78aef
185 2003-03-25 09:18:42.9674 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
187 2003-03-25 09:18:42.9674 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
191 2003-03-25 09:18:42.9680 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
198 2003-03-25 09:18:42.9683 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
199 2003-03-25 09:18:42.9683 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
200 2003-03-25 09:18:42.9686 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0xa0b78aef[Unreassembled Packet]
Data:
Frame 1 (970 on wire, 970 captured)
Arrival Time: Mar 25, 2003 09:18:42.956451000
Time delta from previous packet: 0.000000000 seconds
Time relative to first packet: 0.000000000 seconds
Frame Number: 1
Packet Length: 970 bytes
Capture Length: 970 bytes
Ethernet II
Destination: 00:e0:52:15:fa:4a (00:e0:52:15:fa:4a)
Source: 00:e0:52:15:80:d1 (00:e0:52:15:80:d1)
Type: IP (0x0800)
Internet Protocol, Src Addr: 207.44.132.80 (207.44.132.80), Dst Addr: 207.44.154.82 (207.44.154.82)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 956
Identification: 0xeed3
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 7400
Time to live: 63
Protocol: UDP (0x11)
Header checksum: 0x88c4 (correct)
Source: 207.44.132.80 (207.44.132.80)
Destination: 207.44.154.82 (207.44.154.82)
Data (936 bytes)
0000 ac 7a 41 c1 8d a0 14 c1 5d 59 cd cf 34 ea 2b ac .zA.....]Y..4.+.
0010 4f 71 d0 3c a5 cb 7a d5 cf 64 0f 9a e9 63 20 48 Oq.<..z..d...c H
0020 50 f0 23 a5 75 c3 02 98 05 4d fe 3e 0a a6 11 a1 P.#.u....M.>....
0030 9a b0 0f ef 29 18 1c 15 cd f9 d2 93 7a b6 75 6c ....).......z.ul
0040 cf 4f 72 e1 f5 16 7c 31 d9 ac c1 70 15 f8 7b 50 .Or...|1...p..{P
0050 fe 94 8d f3 55 0d 8b e1 61 f0 cc c3 6d 80 36 e1 ....U...a...m.6.
0060 78 19 1c b6 57 1b 93 e9 3c 5d cd 92 79 5a b5 a8 x...W...<]..yZ..
0070 10 be d9 70 09 9d 5f 10 4e 47 a4 51 64 32 8d 8e ...p.._.NG.Qd2..
0080 f3 69 c5 b5 1d f6 58 44 b2 82 3d cd f7 82 8b 3b .i....XD..=....;
0090 18 02 1e 76 b9 90 23 60 3b a7 28 b0 f2 c6 98 e9 ...v..#`;.(.....
00a0 93 66 14 d2 53 dc c9 57 b5 4f 86 12 30 85 c4 08 .f..S..W.O..0...
00b0 a0 f1 8a 41 2c 79 4b 2b c8 cd 41 1b 81 6f c6 3f ...A,yK+..A..o.?
00c0 e5 14 79 dd 18 6b dd ba 4f 06 92 77 f5 7a 2a 08 ..y..k..O..w.z*.
00d0 ec 55 4f 8d 33 b2 c4 99 6d e0 47 f1 29 18 36 3a .UO.3...m.G.).6:
00e0 23 d0 64 ed 19 af 71 e8 08 5e a6 54 56 3a 58 9b #.d...q..^.TV:X.
00f0 8b 53 14 7c 4f 05 67 bd 6e bc b7 ce 22 30 b9 87 .S.|O.g.n..."0..
0100 7c 4f d0 1d 44 6f bb 83 c4 70 54 cf c0 1d c1 6b |O..Do...pT....k
0110 9d db 3e 10 2e ee 0e 13 14 a8 69 bc 33 96 b0 71 ..>.......i.3..q
0120 4b 82 49 aa 38 7d b3 b3 80 98 00 67 39 1a a7 26 K.I.8}.....g9..&
0130 38 61 7c 35 c2 3d 32 a8 2b 27 f7 4e 71 de 65 a3 8a|5.=2.+'.Nq.e.
0140 5e 29 28 ad a0 da 13 5c 91 3b a5 0b bd a4 f3 92 ^)(....\.;......
0150 7d 5c c8 7b d7 cf 5a 1c e5 cc 53 5e 88 57 bd 49 }\.{..Z...S^.W.I
0160 76 24 32 2f 82 d1 71 2b 16 60 7e ed 9b 7e 83 ee v$2/..q+.`~..~..
0170 32 12 45 f1 d0 58 d2 57 86 a6 67 62 04 05 8d 3f 2.E..X.W..gb...?
0180 96 ed cb 18 2d 10 1d 0a f7 ef f9 4b 92 b8 9e 2d ....-......K...-
0190 59 a1 95 db f8 2e 38 80 b3 e9 54 18 bd 88 23 4f Y.....8...T...#O
01a0 d0 36 31 fc 75 9b 76 62 79 80 45 ee 53 68 ba d7 .61.u.vby.E.Sh..
01b0 cd 81 ad e2 89 ee 61 a7 71 22 60 10 bc 3e 34 e5 ......a.q"`..>4.
01c0 62 87 e2 14 f7 c1 76 d2 8c 07 98 88 0e 89 84 db b.....v.........
01d0 3a 34 ee 21 04 d6 fe 41 71 1d 38 63 90 9c 18 6e :4.!...Aq.8c...n
01e0 ac 55 04 23 88 50 d7 8d 29 73 92 10 ec aa 58 fb .U.#.P..)s....X.
01f0 4f bf ac 99 5b 31 09 f1 49 32 fa ab 3a 83 b4 0a O...[1..I2..:...
0200 af 28 4f 76 f0 14 3e c5 f4 79 d5 bd e4 cc 11 e3 .(Ov..>..y......
0210 6f 60 dd 73 d1 46 af 53 ea a5 95 a6 36 43 9e 50 o`.s.F.S....6C.P
0220 01 87 a7 28 4f af 7a b1 0d 66 6c 62 e5 a7 37 e3 ...(O.z..flb..7.
0230 29 db e9 ab 8a 2b 73 67 c3 94 81 cd ad 7b 8e 53 )....+sg.....{.S
0240 fb aa 36 c5 db a8 9c 06 fb 41 8b cf b1 e7 5f d7 ..6......A...._.
0250 66 af 42 5c 18 67 38 20 17 0c a4 49 0a 5b 77 70 f.B\.g8 ...I.[wp
0260 10 fa 4f 1f a3 46 aa 97 ac 4f bf 62 31 49 05 b7 ..O..F...O.b1I..
0270 64 a9 bd b3 6f e0 12 81 3f 43 b1 54 89 26 74 bc d...o...?C.T.&t.
0280 dc b3 19 ac c0 ce 8b f5 38 1d 5f ed 07 10 eb 15 ........8._.....
0290 ce 5c 15 9d 4a ee e6 19 0e 4c a2 8a cf 65 ae bd .\..J....L...e..
02a0 ce 6f 6a b7 a5 20 8a ba f8 24 f0 e0 55 87 5e 59 .oj.. ...$..U.^Y
02b0 1b 6d fc 48 0c 57 89 9a d9 4c e8 eb 5d 89 39 67 .m.H.W...L..].9g
02c0 a4 b3 48 31 a4 1f 1d dc 5a cf e8 66 d1 73 50 64 ..H1....Z..f.sPd
02d0 9b 49 ca 31 a0 99 16 dc 4d 78 95 d6 0a 38 33 62 .I.1....Mx...83b
02e0 2c 8c ff 7b de ff c5 ae 7f 7d 9b c2 ed ec 84 5c ,..{.....}.....\
02f0 4f 31 77 cd 76 58 54 88 cf e1 cd 7d de 51 c9 56 O1w.vXT....}.Q.V
0300 7b 8d ba 4c 5c 32 8d 96 52 d1 50 26 43 89 6f 33 {..L\2..R.P&C.o3
0310 4c 3a a5 eb 29 ee e6 eb 3a 6d 6f 4c 22 f3 ce 7e L:..)...:moL"..~
0320 8e 02 f2 3a 41 f0 52 02 4f d8 13 7a ed a7 c8 fd ...:A.R.O..z....
0330 af 53 5b ad e9 66 e3 f1 c5 e2 0b 51 5b 0a 15 b9 .S[..f.....Q[...
0340 33 5f 4c 46 0d cc e2 4a 51 02 3b 1b a0 82 2b 09 3_LF...JQ.;...+.
0350 ba 38 81 f4 8b 2e bd 95 2b 12 58 8f 23 d0 c5 3f .8......+.X.#..?
0360 95 03 f7 ba 19 c4 b2 dd 99 7c 38 c0 27 9f 4a 96 .........|8.'.J.
0370 79 d5 fe b8 ef bd 76 cc 4c 82 14 9c 31 a1 3f a4 y.....v.L...1.?.
0380 80 e6 c6 b8 a1 f3 df 0c db fe 64 20 27 79 c2 f4 ..........d 'y..
0390 ce 5f 92 44 11 1b 55 5c 65 10 6f 6f e7 e5 e3 d4 ._.D..U\e.oo....
03a0 85 98 45 29 9b fe fa 24 ..E)...$
It is better to be HATED for who you are, than LOVED for who you are NOT.
THC/IP Version 4.2
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote