From owner-freebsd-net@FreeBSD.ORG  Fri Jun  8 12:43:52 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6DDBB1065686;
	Fri,  8 Jun 2012 12:43:52 +0000 (UTC)
	(envelope-from ndenev@gmail.com)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com
	[74.125.82.182])
	by mx1.freebsd.org (Postfix) with ESMTP id BD2598FC1C;
	Fri,  8 Jun 2012 12:43:51 +0000 (UTC)
Received: by werg1 with SMTP id g1so727238wer.13
	for <multiple recipients>; Fri, 08 Jun 2012 05:43:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=subject:mime-version:content-type:from:in-reply-to:date:cc
	:content-transfer-encoding:message-id:references:to:x-mailer;
	bh=TMFvA3zI4S3dJtfrZMh3NuuK1QUWFFYjirxelGcZKMY=;
	b=XBQxZKjvRqFGz3PLqjz1FarOBugoPbRMV6VdM8FR1pFm0neF0wfwmluNbaprvZs4UY
	ow5KWXWnzZGazxtqiKerZxNTWZi/XgOJCdVrvm9WCjsk9NqcpazQUbg+1ahbrp14CabW
	C2i6pK3NE+WccW/lA8dkc8wNs0kfR7b8xPp9RQG7eecW56lH9zNxgESWIgtsfM7kNFXP
	SVev6U6UGK1r3VKMutkWwElkn557TeUv0+fbVUOYtMatltaCtXZw7ubnpEKRe/nwYNCa
	E5iI5n7IhFDQqZ1dWlV3YlYZ038DS4KJGDODkkhZCdCe+5yGYpg/flAOWh5dQF9d8qmp
	YkOQ==
Received: by 10.180.106.137 with SMTP id gu9mr14977wib.8.1339159430669;
	Fri, 08 Jun 2012 05:43:50 -0700 (PDT)
Received: from ndenevsa.sf.moneybookers.net (g1.moneybookers.com.
	[217.18.249.148])
	by mx.google.com with ESMTPS id eb8sm1028553wib.11.2012.06.08.05.43.48
	(version=TLSv1/SSLv3 cipher=OTHER);
	Fri, 08 Jun 2012 05:43:49 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=iso-8859-1
From: Nikolay Denev <ndenev@gmail.com>
In-Reply-To: <CAJ-Vmo=82Y-oD3gpNZQ_Q4UHWrRqk_Vs2QZqshGXv_E=LqY8-w@mail.gmail.com>
Date: Fri, 8 Jun 2012 15:43:47 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <CBFAA2DA-D8D2-466E-83EC-D40505250270@gmail.com>
References: <54EF0399-B36E-42CA-9526-DDC7ADA4406A@gmail.com>
	<CAJ-Vmo=82Y-oD3gpNZQ_Q4UHWrRqk_Vs2QZqshGXv_E=LqY8-w@mail.gmail.com>
To: Adrian Chadd <adrian@FreeBSD.org>
X-Mailer: Apple Mail (2.1278)
Cc: freebsd-net <freebsd-net@freebsd.org>
Subject: Re: FreeBSD 8.2-STABLE sending FIN no ACK packets.
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 12:43:52 -0000


On Jun 8, 2012, at 4:30 AM, Adrian Chadd wrote:

> On 7 June 2012 05:41, Nikolay Denev <ndenev@gmail.com> wrote:
>> Hello,
>>=20
>> I've been pointed out by our partner that we are sending TCP packets =
with FIN flag and no ACK set, which is triggering
>> alerts on their firewalls.
>> I've investigated, and it appears that some of our FreeBSD hosts are =
really sending such packets. (they are running some java applications)
>> I did "tcpdump -s0 -vni em1 '(tcp[tcpflags] & tcp-ack =3D=3D 0) && =
(tcp[tcpflags] & tcp-fin !=3D 0)'" to catch them.
>>=20
>> Is this considered normal?
>> It seems at least Juniper considers this malicious traffic : =
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0=
/junos-security-swconfig-security/id-72577.html
>=20
> Would you please file a PR with this, so it doesn't get lost?
>=20
> Thanks,
>=20
>=20
> Adrian

Filed as kern/168842, and mistakenly duplicated as kern/168843 (the =
latter can be closed).

As I wrote in the PR, I have a PCAP that I can privately share if =
someone is interested.