Preface: IP microfragmentLogo -Internet Security Systems

IP microfragment
advICE :Intrusions : 2000020
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Tiny IP fragments have been seen. While not illegal, these fragments indicate that something unusual is going on.

Details

The maximum size of an IP packet is around 65,535 bytes. However, most physical connections like dial-up lines, Ethernet, or cable-modems cannot handle such large packets. Most importantly, some Internet links between continents can only handle roughly 500 byte IP packets.

Therefore, when sending a large packet, the sender needs to fragment it into pieces that can fit on the wire. Routers on intercontinental link do this for you automatically. This means that the smallest IP fragments should be is around the size of the smallest link, which is roughly 500 bytes.

This signature triggers when packets around 8-32 bytes are seen. This is unnecessarily small.

Defense

Many firewalls will filter out these packets.

Spoofing

Many instances of this attack are from spoofed IP addresses.

False positives

Note that trailing fragments will often be within the microfragment range. Trailing fragments do not trigger this event.

 more information
NewTear  
Microfragments are often seen as part of other attacks, such as NewTear.  

 parametric information
offsetThe offset from the start of the original packet this fragment appeared in.
lenThe length of this fragment.
protoThe protocol number (1=ICMP,6=TCP,17=UDP).

 
Version appeared: 2.5
Privacy Policy |  Copyright Info