From owner-freebsd-net@FreeBSD.ORG  Thu Jun  7 12:42:04 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 96F691065674
	for <freebsd-net@freebsd.org>; Thu,  7 Jun 2012 12:42:04 +0000 (UTC)
	(envelope-from ndenev@gmail.com)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com
	[74.125.82.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 0F75B8FC24
	for <freebsd-net@freebsd.org>; Thu,  7 Jun 2012 12:42:03 +0000 (UTC)
Received: by werg1 with SMTP id g1so421375wer.13
	for <freebsd-net@freebsd.org>; Thu, 07 Jun 2012 05:42:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:content-type:content-transfer-encoding:date:subject:to
	:message-id:mime-version:x-mailer;
	bh=dyDeod0QeF3JnHeTky7kXQEy19UrVcJgBRV6gt+p3Yc=;
	b=gpog7BGqXtUnx1p10VUoIxIaWxgvl2NvYKCvqzRiP8xhICulKCg3ju7SFFhK9AApVz
	fYMErTrwe5TKFP9EHqYb/eJxoRd0Og6b7dygQFmLvcAyESLdIPeWYqbL+aeSLs25Pqxn
	JDtoTQaI5heyluOr/xaJ2ck8agNIlRM6zzanNWM3NiORIAhE2nc0dlDf5b3Ncp3pujrT
	P2x0YoI6Ca9YFvRfEz37COiCz9BWiD0mIfk8w/reXXEjwc6QibDxJI2zd47UMKd0JWHp
	9JfuFpnzukl3Jww973gozchW2PifAZHzFryHHXfz1fj/792KxZEqOt7s51YbhETWoNL1
	CxgA==
Received: by 10.216.202.14 with SMTP id c14mr842096weo.63.1339072922956;
	Thu, 07 Jun 2012 05:42:02 -0700 (PDT)
Received: from ndenevsa.sf.moneybookers.net (g1.moneybookers.com.
	[217.18.249.148])
	by mx.google.com with ESMTPS id q6sm7142439wiy.0.2012.06.07.05.42.00
	(version=TLSv1/SSLv3 cipher=OTHER);
	Thu, 07 Jun 2012 05:42:01 -0700 (PDT)
From: Nikolay Denev <ndenev@gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Thu, 7 Jun 2012 15:41:59 +0300
To: freebsd-net <freebsd-net@freebsd.org>
Message-Id: <54EF0399-B36E-42CA-9526-DDC7ADA4406A@gmail.com>
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
Subject: FreeBSD 8.2-STABLE sending FIN no ACK packets.
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2012 12:42:04 -0000

Hello,

I've been pointed out by our partner that we are sending TCP packets =
with FIN flag and no ACK set, which is triggering
alerts on their firewalls.
I've investigated, and it appears that some of our FreeBSD hosts are =
really sending such packets. (they are running some java applications)
I did "tcpdump -s0 -vni em1 '(tcp[tcpflags] & tcp-ack =3D=3D 0) && =
(tcp[tcpflags] & tcp-fin !=3D 0)'" to catch them.

Is this considered normal?
It seems at least Juniper considers this malicious traffic : =
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0=
/junos-security-swconfig-security/id-72577.html