Ethereal

[Ethereal-users] Covert Channel Detected?
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: November 2004

Today I noticed that one of my DMZ servers is receiving Fragmented IP Protocol packets from a class C subnet in Russia (83.102.166.X). The packets arrive at intervals of approximately 1-30 seconds, each from a random address in the same subnet, and all carry 25 bytes of UDP payload.

 

I cannot think of a reason that my server (used only for HTTP and DNS) should be receiving such packets. None of my other DMZ servers are seeing them.

 

It occurs to my paranoid mind that this could be evidence of a covert channel Trojan trying to make contact to my server. If so, then my server is apparently ignoring it. At least, it does not send any packets back to the same subnet. However the packets (probes?) keep coming.

 

Has anyone seen anything like this? I have attached a small trace.

 

--

Eric Robinson

 

Attachment: frag-channel
Description: frag-channel

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.