Date: Thu, 7 Jun 2012 15:41:59 +0300 From: Nikolay Denev <ndenev@gmail.com> To: freebsd-net <freebsd-net@freebsd.org> Subject: FreeBSD 8.2-STABLE sending FIN no ACK packets. Message-ID: <54EF0399-B36E-42CA-9526-DDC7ADA4406A@gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I've been pointed out by our partner that we are sending TCP packets = with FIN flag and no ACK set, which is triggering alerts on their firewalls. I've investigated, and it appears that some of our FreeBSD hosts are = really sending such packets. (they are running some java applications) I did "tcpdump -s0 -vni em1 '(tcp[tcpflags] & tcp-ack =3D=3D 0) && = (tcp[tcpflags] & tcp-fin !=3D 0)'" to catch them. Is this considered normal? It seems at least Juniper considers this malicious traffic : = http://www.juniper.net/techpubs/software/junos-security/junos-security10.0= /junos-security-swconfig-security/id-72577.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54EF0399-B36E-42CA-9526-DDC7ADA4406A>