Just to help with data collection, let me add a couple of things and ask if you would provide similar:

1. I mentioned before that at least in my network, these always seem to come to or from Active Directory servers or SQL cluster machines. I typically see them on the internal network (we don't have any of those other two types of machines in our DMZ) although I have seen one or two "hits" of this from the Internet trying to come in. Does this fit the description of your own machines that seem to be involved?

2. We use almost exclusively Compaq servers. I'm not on the team that manages them, but I'll give a 95% confident statement that these are running Windows 2000.

I'm trying to find all the patterns I can - I'm not smart enough to dig a whole lot deeper, but hopefully anything we can establish as a pattern will help with ultimate identification.

I am attaching an edited capture in pcap format - edited because I only want to include the single packet that resulted in the alert.

--James

If you have an incomplete datagram the missing information is filled with 0x3f which is '?'. This is a feature not a bug :)

If you are still seeing 0x3f bytes in a datagram that is complete, then we are talking about a bug. I would be interested in seeing any trace with packets that cause that.

My comments apply to version 3.x. Are you running 4.x and still getting -x3f?

Yes, we're running version 4.x on IDSMv2 blades. I think we're at S94.

Okay. Thanks we are looking into this now.

I am seeing this traffic as well. I am seeing about 150 attempts a day from the internet to our firewall. The signatures that I see fire are 1204-No Initial Frag and 1208-Incomplete Datagram, source and dest port 16191. This is seen by a 4235 running 4.1(4)S94. I saw a post on incidents.org where another Cisco user is seeing this occur on 3 signatures.

http://www.incidents.org/diary.php?date=2004-05-18&isc=46270c26d5494471304e344a661994e7

I thought perhaps this extra info might be of some use.

Thanks.

Same, v4.1-4-S94

Also my target is an Oracle server running under Solaris 2.8, not Compaq unfortunately.

We use AD within our corp. but these packets have only been seen at the dmz point.

Nice to see Cisco looking in to it.

I was the guy that reported that. They had a note a few days previously, something like "we're getting reports of fragmented traffic towards port 16191" but no other details, and a call for someone to submit more information.

--James

Preliminary analysis based on the extremely limitted data available, I would say that this is most likely caused by a high level of fragmented UDP traffic. The packets in these logs ( as well as from earlier messages ) are only trigger packets. In the case of the 12xx series of alarms the trigger packet is a (partially) reassembled datagram built from the data kept by the Fragment Reassembly Unit (FRU) ... any portions of the d-gram that are missing are replaced with '0x3f'. It appears that the FRU was only able to queue the final fragment, probably due to buffer limits imposed on it.

To avoid this problem try changing the FragmentReassembly settings ( try increasing 'IPReassembleMaxFrags' ). You will probably also need to change the 'FragmentThreshold' settings for these signatures.

I agree that UDP fragments could explain some of these alarms (particularly for the folks noting the activity in relation to very specific network conditions and involved systems), but I think it’s more important that we now know what the Fragment Reassembly Unit (FRU) is up to.

The info about the FRU using padding is very important. This changes how someone will react to these alarms because we now know 0x3f is a pad put in by the IDS to cover any missing fragment and not some variation of a NOOP sled that is part of someone’s buffer overflow attack!

One question/concern. If you increase the max number of fragments, do you not also increase the performance cost for this particular group of signatures? It would appear the default for "IPReasembleMaxFrags" is currently set at 10000 and while that sounds like a lot, it seems to me that it stands to reason that this setting is actually woefully inadequate if a sensor is monitoring a link where a lot of IPSec traffic (or other activity where fragmentation is quite normal) is moving through. The problem now is figuring how much is too much when in comes to configuring the "IPReasembleMaxFrags" variable... On a related point, can we expect Cisco to produce tuned versions of the 12xx series of signatures in order to adjust 'FragmentThreshold' variables in an appropriate manner?

By the way, the 0x3f padding has obviously caused many of us to pull our collective hair out trying to identify the cause of these alarms, particularly because it was unique to Cisco IDS sensors. Information like this needs to be in the user documentation, IMHO. I don’t think the thread at the ISC or here would have started if we knew about the padding. Instead, though I can only speak for myself now, I think the focus would have been on figuring out if the apparent volume of fragmentation was normal for the segment(s) monitoring by the Cisco IDS and correcting any discovered configuration errors (either in the network or the attached systems).

Just my $LOCAL_CURRENCY = 0.02 + $LOCAL_TAXES

Alex Arndt

I do not consider this matter closed; one of the other Cisco engineers indicated this padding is a feature of 3.x sensors but in 4.x indicates a bug.

One of the other engineers said "preliminary analysis based on extremely limited data available" - so what can I provide that will help to make things more certain? I am willing to provide whatever settings are requested as well as further sniffer traces as required.

--James

Sorry to dig this one up again. I am not sure that I have understood the resolution.

After reading this thread I have understood that if you are receiving this event with port 16191, this means increase the IPRreasembleMaxFrags parameter on the sensor until you don’t see it anymore.

Is this the answer???