[Snort-users] DDoS?? almost 40k 'TCP Data Offset is less than 5!' alerts in 30 mins

lpj0508 at ...2792... lpj0508 at ...2792...
Tue Jun 17 05:39:35 EDT 2003


hi,

i've been seeing around 30 tcp data offset alerts daily on my ids, and was not really worried by that.

what got me worried was what happened last night when there was a sudden flood of such packets hitting 1 of my servers. this happened for abt 30 mins and the packets all came from different sources. furthermore, the destination ports of the packets seem to be random (most of these not even listening ports on my server).

it looks really like a kind of distributed denial of service attack to me. has anyone seen this before? is such packets (tcp offset < 5) known to cause any harm to a system, ie. higher load, compromise?

hope someone can shed some light on this.

lpj

__________________________________________________________________
McAfee VirusScan Online from the Netscape Network.
Comprehensive protection for your entire computer. Get your free trial today!
http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397

Get AOL Instant Messenger 5.1 free of charge.  Download Now!
http://aim.aol.com/aimnew/Aim/register.adp?promo=380455




More information about the Snort-users mailing list