GEN:SID | 1:1322 |
Message | BAD-TRAFFIC bad frag bits |
Summary | This event is generated when packets on the network have both the fragment and don't fragment bits set.
|
Impact | Possible reconnaisance.
|
Detailed Information | This rule detects a case where the packet is designated as having more fragments whilst at the same time the "don't fragment" bit is also set.
Under normal circumstances an ICMP error message (type 3 code 5) should be generated and sent back to the source of the packet.
The attacker may be trying to ascertain information about the network architecture and configuration of network devices as a prelude to an attack.
an indicator of unauthorized network use, reconnaisance activity or system compromise. These rules may also generate an event due to improperly configured network devices.
|
Affected Systems | All
|
Attack Scenarios | The attacker would need to craft packets with the fragment and don't fragment bits set.
|
Ease of Attack | Simple
|
Corrective Action | Employ a packet filtering firewall to deny outbound ICMP error messages.
|
Additional References | |