Ethereal-users: [Ethereal-users] Covert Channel Detected?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Robinson, Eric" <eric@xxxxxxxxx>
Date: Fri, 5 Nov 2004 01:48:59 -0800

Today I noticed that one of my DMZ servers is receiving Fragmented IP Protocol packets from a class C subnet in Russia (83.102.166.X). The packets arrive at intervals of approximately 1-30 seconds, each from a random address in the same subnet, and all carry 25 bytes of UDP payload.

 

I cannot think of a reason that my server (used only for HTTP and DNS) should be receiving such packets. None of my other DMZ servers are seeing them.

 

It occurs to my paranoid mind that this could be evidence of a covert channel Trojan trying to make contact to my server. If so, then my server is apparently ignoring it. At least, it does not send any packets back to the same subnet. However the packets (probes?) keep coming.

 

Has anyone seen anything like this? I have attached a small trace.

 

--

Eric Robinson

 

Attachment: frag-channel
Description: frag-channel