On 08.06.2012 14:43, Nikolay Denev wrote:
> On Jun 8, 2012, at 4:30 AM, Adrian Chadd wrote:
>> On 7 June 2012 05:41, Nikolay Denev<> wrote:
>>> I've been pointed out by our partner that we are sending TCP packets with FIN flag and no ACK set, which is triggering
>>> alerts on their firewalls.
>>> I've investigated, and it appears that some of our FreeBSD hosts are really sending such packets. (they are running some java applications)
>>> I did "tcpdump -s0 -vni em1 '(tcp[tcpflags]& tcp-ack == 0)&& (tcp[tcpflags]& tcp-fin != 0)'" to catch them.
>>> Is this considered normal?
>>> It seems at least Juniper considers this malicious traffic : http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-72577.html
>> Would you please file a PR with this, so it doesn't get lost?
> Filed as kern/168842, and mistakenly duplicated as kern/168843 (the latter can be closed).
> As I wrote in the PR, I have a PCAP that I can privately share if someone is interested.
please make the pcap available to me. From the tcpdump in the PR I can't
analyze how this stray packet may come about.
While certainly a bug it is not a security issue as any compliant tcp stack
would drop such a packet on receipt.
freebsd- mailing list
To unsubscribe, send any mail to "freebsd-net-"