FreeBSD 8.2-STABLE sending FIN no ACK packets.
Nikolay Denev
ndenev at gmail.com
Thu Jun 7 12:42:04 UTC 2012
Hello,
I've been pointed out by our partner that we are sending TCP packets with FIN flag and no ACK set, which is triggering
alerts on their firewalls.
I've investigated, and it appears that some of our FreeBSD hosts are really sending such packets. (they are running some java applications)
I did "tcpdump -s0 -vni em1 '(tcp[tcpflags] & tcp-ack == 0) && (tcp[tcpflags] & tcp-fin != 0)'" to catch them.
Is this considered normal?
It seems at least Juniper considers this malicious traffic : http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-72577.html
More information about the freebsd-net
mailing list