Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 8 Jun 2012 15:43:47 +0300
From:      Nikolay Denev <ndenev@gmail.com>
To:        Adrian Chadd <adrian@FreeBSD.org>
Cc:        freebsd-net <freebsd-net@freebsd.org>
Subject:   Re: FreeBSD 8.2-STABLE sending FIN no ACK packets.
Message-ID:  <CBFAA2DA-D8D2-466E-83EC-D40505250270@gmail.com>
In-Reply-To: <CAJ-Vmo=82Y-oD3gpNZQ_Q4UHWrRqk_Vs2QZqshGXv_E=LqY8-w@mail.gmail.com>
References:  <54EF0399-B36E-42CA-9526-DDC7ADA4406A@gmail.com> <CAJ-Vmo=82Y-oD3gpNZQ_Q4UHWrRqk_Vs2QZqshGXv_E=LqY8-w@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Jun 8, 2012, at 4:30 AM, Adrian Chadd wrote:

> On 7 June 2012 05:41, Nikolay Denev <ndenev@gmail.com> wrote:
>> Hello,
>>=20
>> I've been pointed out by our partner that we are sending TCP packets =
with FIN flag and no ACK set, which is triggering
>> alerts on their firewalls.
>> I've investigated, and it appears that some of our FreeBSD hosts are =
really sending such packets. (they are running some java applications)
>> I did "tcpdump -s0 -vni em1 '(tcp[tcpflags] & tcp-ack =3D=3D 0) && =
(tcp[tcpflags] & tcp-fin !=3D 0)'" to catch them.
>>=20
>> Is this considered normal?
>> It seems at least Juniper considers this malicious traffic : =
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0=
/junos-security-swconfig-security/id-72577.html
>=20
> Would you please file a PR with this, so it doesn't get lost?
>=20
> Thanks,
>=20
>=20
> Adrian

Filed as kern/168842, and mistakenly duplicated as kern/168843 (the =
latter can be closed).

As I wrote in the PR, I have a PCAP that I can privately share if =
someone is interested.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CBFAA2DA-D8D2-466E-83EC-D40505250270>