Date: Thu, 7 Jun 2012 15:41:59 +0300 From: Nikolay Denev <ndenev@gmail.com> To: freebsd-net <freebsd-net@freebsd.org> Subject: FreeBSD 8.2-STABLE sending FIN no ACK packets. Message-ID: <54EF0399-B36E-42CA-9526-DDC7ADA4406A@gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I've been pointed out by our partner that we are sending TCP packets with FIN flag and no ACK set, which is triggering alerts on their firewalls. I've investigated, and it appears that some of our FreeBSD hosts are really sending such packets. (they are running some java applications) I did "tcpdump -s0 -vni em1 '(tcp[tcpflags] & tcp-ack == 0) && (tcp[tcpflags] & tcp-fin != 0)'" to catch them. Is this considered normal? It seems at least Juniper considers this malicious traffic : http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-72577.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54EF0399-B36E-42CA-9526-DDC7ADA4406A>