[ale] security: buffer overun attacks ?

jj at spiderentertainment.com jj at spiderentertainment.com
Thu Dec 2 20:20:41 EST 1999


I noticed this strange traffic and it appears that it only comes from
only one ISP, not to mention that it's going to ports where it shouldn't
go, most of the ports are not even open.

Anyhow I was wondering if you can help me debug this:

08:46:27.293260 fdsworldwide.demon.nl.30971 >
broadcast.nbc.netcom.ca.16404: SFP [bad hdr length] (DF)
08:46:29.071373 fdsworldwide.demon.nl.30972 >
broadcast.nbc.netcom.ca.16404: RP [bad hdr length] (DF)
08:46:29.224389 fdsworldwide.demon.nl.30966 >
broadcast.nbc.netcom.ca.32788: SR [bad hdr length] (DF)
08:46:39.598155 fdsworldwide.demon.nl.30970 >
broadcast.nbc.netcom.ca.16404: SP [bad hdr length] (DF)
08:47:06.943844 fdsworldwide.demon.nl.30974 >
host-097.nbc.netcom.ca.32796: SRP 2029944860:2029944860(0) ack
2029944860 win 32796 urg 32796 <[bad opt]> (DF)
08:47:10.126908 fdsworldwide.demon.nl.30970 >
host-097.nbc.netcom.ca.16692: SP 2029666612:2029666890(278) ack
2029666612 win 16692 urg 16692 <[bad opt]> (DF)
08:47:20.001403 finch-04.www-cache.demon.co.uk.30974 >
host-248.nbc.netcom.ca.16404: SRP [bad hdr length]
08:47:20.104466 finch-04.www-cache.demon.co.uk.30974 >
host-248.nbc.netcom.ca.16404: SRP [bad hdr length]
08:47:37.952308 fdsworldwide.demon.nl.30966 >
broadcast.nbc.netcom.ca.49180: SR 2029436956:2029436956(0) ack
2029436956 win 49180 urg 49180 <[bad opt]> (DF)
08:47:47.989190 fdsworldwide.demon.nl.30970 >
broadcast.nbc.netcom.ca.ftp-data: SP 2029649940:2029649940(0) ack
2029649940 win 20 urg 20 <[bad opt]> (DF)
08:47:48.575553 fdsworldwide.demon.nl.30971 >
broadcast.nbc.netcom.ca.16404: SFP [bad hdr length] (DF)
08:47:50.376427 fdsworldwide.demon.nl.30974 >
broadcast.nbc.netcom.ca.16404: SRP [bad hdr length] (DF)
08:47:50.794219 fdsworldwide.demon.nl.30975 >
broadcast.nbc.netcom.ca.16916: SFRP [bad hdr length] (DF)

Sometimes I get bad opt instead of bad hdr length. And it appears that I
get this from 30 other machines as well...
And on another note,
On a RH6.0 is there any reason why the in.inetd would open up port 98 ?

Thx






More information about the Ale mailing list