Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 5000 Traffic Continues; Fragmented tcp/16191 Update - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 5000 Traffic Continues; Fragmented tcp/16191 Update
Port 5000 Traffic Continues. As reported in yesterday's diary, two worms (Bobax and Kibuv.B) are responsible for the increase in tcp/5000 traffic. Microsoft Windows systems that are currently patched are not vulnerable to either worm.



Fragmented tcp/16191 Update Additional information on the report of fragmented IP traffic towards port 16191 in the May 14 diary ( http://isc.sans.org/diary.php?date=2004-05-14 ) arrived in the mailbag today. James tells us,


"I have seen this before inside my network, and recently am seeing it again, including a couple of hits from outside now. Using Cisco v2 IDS sensors on my internal network I always see these as a set of 3 signatures:



1203 - IP fragment overwrite - Data is overwritten

1204 - IP fragment missing initial fragment

1208 - IP fragment incomplete dgram



The Cisco IDS usually indicates whether a port is a TCP or UDP port, but in this case the protocol field of the alert simply says IP."



Handler Ed Skodis explains, "That's likely because the higher-layer protocol (TCP or UDP) header is typically included in the first fragment, including the port number itself. Therefore, because you are getting:



1204 - IP fragment missing initial fragment



You aren't seeing the TCP/UDP stuff, so the IDS labels it merely as IP."



Additional details from Cisco on packet fragmentation is online at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids4/11657_02.htm#xtocid11



Marcus H. Sachs

Handler on Duty

Marcus

301 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!