Fkiws with destination port 0 and TCP SYN flag set
Maqbool Hashim
maqbool at madbull.info
Wed Jun 17 09:23:55 UTC 2015
Hi
Thanks for the response. There are lots of different source ports all above 10,000 (e.g. 42628,42927,39050). It is always two redhat machines generating the traffic, can't be 100% sure due to the sampling but pretty sure the capture has been running for 24 hours or so. It is always the same destination servers and in normal operations these source and destination hosts do have a bunch of legitimate flows between them. I was leaning towards it being a reporting artifact, but it's interesting that there are a whole set of Ack Reset packets from the destination hosts with a source port of 0 also. Does this not indicate that it probably isn't a reporting artifact?
Maybe I need to setup collectors and span ports on all the switches involved to get to the bottom of this. Just feeling like we need to look at *all* the packets not the sample!
Regards,
MH
________________________________________
From: NANOG <nanog-bounces at nanog.org> on behalf of Roland Dobbins <rdobbins at arbor.net>
Sent: 17 June 2015 10:07
To: nanog at nanog.org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
On 17 Jun 2015, at 10:44, Maqbool Hashim wrote:
> It was stated in that thread that netflow reports source/dest port 0
> for non-initial fragments.
Fragmentation in this context only applies to UDP packets.
If the destination of a TCP SYN is being reported as 0 (what's the
source port?), either it's a reporting artifact of some kind or in fact
a SYN destined to TCP/0 (we see this with SYN-floods, sometimes, as well
as with attacks attempting to bypass ACL/firewall rules and related to
compromise).
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG
mailing list