39.472 PINGER.ORG > HTTPS://TRALOIHAY.NET
00:13:39.472 pinger.org > https://traloihay.net:
(frag 1813:156@552)
(frag
60948:552@0+) (frag 60948:156@552)
ICMP
IDIC - SANS GIAC LevelTwo
©2000, 200130
While we are doing fragmentation, we thought we ought to share this pattern with you. What is wrong with the fragmentation on your slide? Nothing! It is valid fragmentation. The problem is, we keep seeing this exact pattern associated with known attacker IP addresses. This is probably a good time for us to pitch Griffin lists. Have you ever thought about the power of a list of probable attacks and anomalies that comes from multiple sites? This would give any site with the ability to filter for these addresses easily the edge, especially if they had TCPdump or another sniffer running so they could investigate activity by the address, response or stimulus as needed. [Narrator, do not read ** additional examples of the pattern]