From owner-freebsd-net@FreeBSD.ORG  Wed Jun 13 13:20:02 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8A0FA1065678
	for <freebsd-net@freebsd.org>; Wed, 13 Jun 2012 13:20:02 +0000 (UTC)
	(envelope-from andre@freebsd.org)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2])
	by mx1.freebsd.org (Postfix) with ESMTP id DB2548FC1C
	for <freebsd-net@freebsd.org>; Wed, 13 Jun 2012 13:20:01 +0000 (UTC)
Received: (qmail 72505 invoked from network); 13 Jun 2012 15:17:14 -0000
Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2])
	(envelope-sender <andre@freebsd.org>)
	by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP
	for <ndenev@gmail.com>; 13 Jun 2012 15:17:14 -0000
Message-ID: <4FD8937C.3020005@freebsd.org>
Date: Wed, 13 Jun 2012 15:19:56 +0200
From: Andre Oppermann <andre@freebsd.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Nikolay Denev <ndenev@gmail.com>
References: <54EF0399-B36E-42CA-9526-DDC7ADA4406A@gmail.com>
	<CAJ-Vmo=82Y-oD3gpNZQ_Q4UHWrRqk_Vs2QZqshGXv_E=LqY8-w@mail.gmail.com>
	<CBFAA2DA-D8D2-466E-83EC-D40505250270@gmail.com>
In-Reply-To: <CBFAA2DA-D8D2-466E-83EC-D40505250270@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net <freebsd-net@freebsd.org>, freebsd-gnats-submit@freebsd.org
Subject: Re: FreeBSD 8.2-STABLE sending FIN no ACK packets. kern/168842
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2012 13:20:02 -0000

On 08.06.2012 14:43, Nikolay Denev wrote:
>
> On Jun 8, 2012, at 4:30 AM, Adrian Chadd wrote:
>
>> On 7 June 2012 05:41, Nikolay Denev<ndenev@gmail.com>  wrote:
>>> Hello,
>>>
>>> I've been pointed out by our partner that we are sending TCP packets with FIN flag and no ACK set, which is triggering
>>> alerts on their firewalls.
>>> I've investigated, and it appears that some of our FreeBSD hosts are really sending such packets. (they are running some java applications)
>>> I did "tcpdump -s0 -vni em1 '(tcp[tcpflags]&  tcp-ack == 0)&&  (tcp[tcpflags]&  tcp-fin != 0)'" to catch them.
>>>
>>> Is this considered normal?
>>> It seems at least Juniper considers this malicious traffic : http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-72577.html
>>
>> Would you please file a PR with this, so it doesn't get lost?
>>
>> Thanks,
>>
>>
>> Adrian
>
> Filed as kern/168842, and mistakenly duplicated as kern/168843 (the latter can be closed).
>
> As I wrote in the PR, I have a PCAP that I can privately share if someone is interested.

Hi Nikolay

please make the pcap available to me.  From the tcpdump in the PR I can't
analyze how this stray packet may come about.

While certainly a bug it is not a security issue as any compliant tcp stack
would drop such a packet on receipt.

-- 
Andre