Hi
After
having a look at this here are a few comments:
The
transport layer is malformed, which is evidence of packet crafting in the
network
The IP
frame is fragmented, which could indicate a means of penetrating to systems for
remote triggering of events
The
frame sizes are in error hence the trailer
Suggestions:
I do
not think this is a scanner, as it is not following, Syn/Fin/Xmas style
structures and therefore no information is leaking from you systems back to the
source.
I
think this may be a means of controlling / triggering DDOS zombies that are
infected on the net already
Actions:
I
suggest Stateful inspection f traffic into you web server, simple TCP handshakes
and state analysis will prevent fragments arriving and therefore remove this
potential
If
using windows (post 2k) close off the ports not required on the server, using
the advanced networks settings.
With
Cisco router before server, control the flow of ports both INTO and OUT from the
server, using
Asymmetric ACL's ingress and outgresss + Reflexive ACL's to perform an
open port when TCP states are matched correctly. Al least configure Lock &
Key ACL's to provide a punch though to the server on designated ports which can
close. I personally like the TCP established ACL, as this can provide all
required HTTP / FTP connections.
Trawl
through all apps / services / daemons running on server and verify that they are
legitimate.
Hope
this helps.
Rick
Okay, before anybody zaps me for
saying "class C," I meant it is a C-sized CIDR
block.
--
Eric
Robinson
--
This message has been scanned for viruses and dangerous content by the
NorMAN MailScanner Service
and is believed to be clean.
The NorMAN MailScanner Service is
operated by Information Systems and Services, University of Newcastle upon
Tyne.
|