On Jun 8, 2012, at 4:30 AM, Adrian Chadd wrote: > On 7 June 2012 05:41, Nikolay Denev <nde...@gmail.com> wrote: >> Hello, >> >> I've been pointed out by our partner that we are sending TCP packets with >> FIN flag and no ACK set, which is triggering >> alerts on their firewalls. >> I've investigated, and it appears that some of our FreeBSD hosts are really >> sending such packets. (they are running some java applications) >> I did "tcpdump -s0 -vni em1 '(tcp[tcpflags] & tcp-ack == 0) && >> (tcp[tcpflags] & tcp-fin != 0)'" to catch them. >> >> Is this considered normal? >> It seems at least Juniper considers this malicious traffic : >> http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-72577.html > > Would you please file a PR with this, so it doesn't get lost? > > Thanks, > > > Adrian
Filed as kern/168842, and mistakenly duplicated as kern/168843 (the latter can be closed). As I wrote in the PR, I have a PCAP that I can privately share if someone is interested. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
