Date: Thu, 7 Jun 2012 18:30:53 -0700 From: Adrian Chadd <adrian@freebsd.org> To: Nikolay Denev <ndenev@gmail.com> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: FreeBSD 8.2-STABLE sending FIN no ACK packets. Message-ID: <CAJ-Vmo=82Y-oD3gpNZQ_Q4UHWrRqk_Vs2QZqshGXv_E=LqY8-w@mail.gmail.com> In-Reply-To: <54EF0399-B36E-42CA-9526-DDC7ADA4406A@gmail.com> References: <54EF0399-B36E-42CA-9526-DDC7ADA4406A@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7 June 2012 05:41, Nikolay Denev <ndenev@gmail.com> wrote: > Hello, > > I've been pointed out by our partner that we are sending TCP packets with FIN flag and no ACK set, which is triggering > alerts on their firewalls. > I've investigated, and it appears that some of our FreeBSD hosts are really sending such packets. (they are running some java applications) > I did "tcpdump -s0 -vni em1 '(tcp[tcpflags] & tcp-ack == 0) && (tcp[tcpflags] & tcp-fin != 0)'" to catch them. > > Is this considered normal? > It seems at least Juniper considers this malicious traffic : http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-72577.html Would you please file a PR with this, so it doesn't get lost? Thanks, Adrian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ-Vmo=82Y-oD3gpNZQ_Q4UHWrRqk_Vs2QZqshGXv_E=LqY8-w>