FreeBSD 8.2-STABLE sending FIN no ACK packets.
Nikolay Denev
ndenev at gmail.com
Fri Jun 8 12:43:52 UTC 2012
On Jun 8, 2012, at 4:30 AM, Adrian Chadd wrote:
> On 7 June 2012 05:41, Nikolay Denev <ndenev at gmail.com> wrote:
>> Hello,
>>
>> I've been pointed out by our partner that we are sending TCP packets with FIN flag and no ACK set, which is triggering
>> alerts on their firewalls.
>> I've investigated, and it appears that some of our FreeBSD hosts are really sending such packets. (they are running some java applications)
>> I did "tcpdump -s0 -vni em1 '(tcp[tcpflags] & tcp-ack == 0) && (tcp[tcpflags] & tcp-fin != 0)'" to catch them.
>>
>> Is this considered normal?
>> It seems at least Juniper considers this malicious traffic : http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-72577.html
>
> Would you please file a PR with this, so it doesn't get lost?
>
> Thanks,
>
>
> Adrian
Filed as kern/168842, and mistakenly duplicated as kern/168843 (the latter can be closed).
As I wrote in the PR, I have a PCAP that I can privately share if someone is interested.
More information about the freebsd-net
mailing list