From owner-freebsd-security  Tue Jul 17 13: 5:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from stevie.loop.com (stevie.loop.com [207.211.60.71])
	by hub.freebsd.org (Postfix) with ESMTP id D27A937B403
	for <freebsd-security@FreeBSD.ORG>; Tue, 17 Jul 2001 13:05:17 -0700 (PDT)
	(envelope-from dwplists@loop.com)
Received: from Elektra.loop.com (elektra.loop.com [207.211.60.33])
	by stevie.loop.com (8.9.3/8.9.3) with SMTP id NAA30535
	for <freebsd-security@FreeBSD.ORG>; Tue, 17 Jul 2001 13:05:12 -0700 (PDT)
Message-ID: <03a401c10efb$dd2eda60$213cd3cf@loop.com>
From: "D. W. Piper" <dwplists@loop.com>
To: <freebsd-security@FreeBSD.ORG>
References: <200105181518.WAA12362@bazooka.cs.ait.ac.th> <046c01c0dfc0$833e7fc0$213cd3cf@loop.com>
Subject: Another question on IPFW Rule -1
Date: Tue, 17 Jul 2001 13:05:39 -0700
Organization: The Loop Internet
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Originally I'd asked whether IPFW rule -1 always indicated an attack
because for the last few weeks we've been seeing the following entries
in the IPFW logs on two of our servers:

ipfw: -1 Refuse TCP aaa.bbb.ccc.ddd www.xxx.yyy.zzz in via de0 Fragment
= 184

Yesterday for example it happened for about 25 minutes on the primary
mail server, then when it stopped happening on that server it happened
for about 20 minutes on one of our secondary mail servers.

As I said earlier, this has been going on for the last few weeks, always
from the same IP address, always to the same two of our servers, and
always with "Fragment = 184".

Can anyone shed any light on what's going on here?

Is it significant that it's always "Fragment = 184"?  (Is that the
number of the fragment, or if not what does it mean?)

Thank you,

David


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message