[Snort-users] DDoS?? almost 40k 'TCP Data Offset is less than 5!' alerts in 30 mins

lpj0508 at ...2792... lpj0508 at ...2792...
Tue Jun 17 05:39:35 EDT 2003


i've been seeing around 30 tcp data offset alerts daily on my ids, and was not really worried by that.

what got me worried was what happened last night when there was a sudden flood of such packets hitting 1 of my servers. this happened for abt 30 mins and the packets all came from different sources. furthermore, the destination ports of the packets seem to be random (most of these not even listening ports on my server).

it looks really like a kind of distributed denial of service attack to me. has anyone seen this before? is such packets (tcp offset < 5) known to cause any harm to a system, ie. higher load, compromise?

hope someone can shed some light on this.


McAfee VirusScan Online from the Netscape Network.
Comprehensive protection for your entire computer. Get your free trial today!

Get AOL Instant Messenger 5.1 free of charge.  Download Now!

More information about the Snort-users mailing list