Re: kernel syslog message

From: Gigi Sullivan (sullivan@sikurezza.org)
Date: Mon Jun 12 2000 - 06:50:31 EST


Aiee :)

        Hello!

> Can anyone tell me what these log file entries mean?
>
>
> Jun 8 12:30:02 ruby kernel: Suspect short first fragment.
> Jun 8 12:30:02 ruby kernel: eth0 PROTO=6 212.140.74.85:0 195.138.224.3:0
> L=20 S=0x00 I=38663 F=0x6000 T=21 (#0)
> Jun 8 12:30:05 ruby kernel: Suspect short first fragment.
> Jun 8 12:30:05 ruby kernel: eth0 PROTO=6 212.140.74.85:0 195.138.224.3:0
> L=20 S=0x00 I=38919 F=0x6000 T=21 (#0)

        I guess that someone (212.140.74.85) is trying to send to you a
        fragmented TCP segment.

        There are, at least, two points because this shouldn't happen, IMHO:

                1 - TCP never send fragmented segs (if PMTU is - by default - active).
          (so this is strange).
                2 - This should be an attempt to open a firewalled service by means
          of fragment overlaps.
        
        The linux firewall software deals that as stated in net/ipv4/ip_fw.c:

      offset = (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req);

      /* If it is a truncated first fragment then it can be
       * used to rewrite port information, and thus should
       * be blocked.
       */
      if (offset && (ntohs(ip->frag_off) & IP_MF)) {
         if (!testing && net_ratelimit()) {
            printk("Suspect short first fragment.\n");
            dump_packet(ip,rif,NULL,NULL,0,0,0,0);
         }
         return FW_BLOCK;
      }

        Hope this helps (and it's right ;))

bye bye

                        -- gg sullivan

>
>
> Regards,
>
> AW
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to majordomo@vger.rutgers.edu

-- 
Lorenzo Cavallaro	`Gigi Sullivan' <sullivan@sikurezza.org>

Until I loved, life had no beauty; I did not know I lived until I had loved. (Theodor Korner) - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu



This archive was generated by hypermail 2b29 : Thu Jun 15 2000 - 21:00:40 EST