Fkiws with destination port 0 and TCP SYN flag set

Wed Jun 17 09:50:54 UTC 2015

Hmm, no flags set in your output though?

________________________________________
From: Pavel Odintsov <pavel.odintsov at gmail.com>
Sent: 17 June 2015 10:44
To: Maqbool Hashim
Cc: Marcin Cieslak; nanog at nanog.org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set

Hello!

Looks like it's silly hping3 flood:

12:43:08.961024 IP 192.168.0.127.10562 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961031 IP 192.168.0.127.10563 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961039 IP 192.168.0.127.10564 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961046 IP 192.168.0.127.10565 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961054 IP 192.168.0.127.10566 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961062 IP 192.168.0.127.10567 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961070 IP 192.168.0.127.10568 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961077 IP 192.168.0.127.10569 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961085 IP 192.168.0.127.10570 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961093 IP 192.168.0.127.10571 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961101 IP 192.168.0.127.10572 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961108 IP 192.168.0.127.10573 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961116 IP 192.168.0.127.10574 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961123 IP 192.168.0.127.10575 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961131 IP 192.168.0.127.10576 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961139 IP 192.168.0.127.10577 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961146 IP 192.168.0.127.10578 > 216.239.32.21.0: Flags [.],
win 512, length 0
12:43:08.961154 IP 192.168.0.127.10579 > 216.239.32.21.0: Flags [.],
win 512, length 0

Just try:
hping3 --flood target_host.

On Wed, Jun 17, 2015 at 12:34 PM, Maqbool Hashim <maqbool at madbull.info> wrote:
> Hi,
>
> The destination host is sending an ACK+RST with the source port set to zero.  The destination IP is always one of the two hosts that are generating the SYN packets with a destination port of 0.  The destination port however is hard to match up to a source port in the original SYN packet due to the fact that we don't have all the packets.
>
> It's actually going to be difficult to get the access and procedural sign off etc. to run tcpdump on the machines involved.  What might be easier is to set up a span port for the hosts access port on the switch and grab that via the collector laptop I have.
>
> Thanks,
>
> MH
>
> ________________________________________
> From: Marcin Cieslak <saper at saper.info>
> Sent: 17 June 2015 10:30
> To: Maqbool Hashim
> Cc: nanog at nanog.org
> Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
>
> On Wed, 17 Jun 2015, Maqbool Hashim wrote:
>
>> It is always the same destination servers and in normal operations
>> these source and destination hosts do have a bunch of legitimate flows
>> between them.  I was leaning towards it being a reporting artifact,
>> but it's interesting that there are a whole set of Ack Reset packets
>> from the destination hosts with a source port of 0 also.
>
> So the destination host is sending ACK+RST with the *source* port
> set to zero, or the *destination* port?
>
>> Does this not indicate that it probably isn't a reporting artifact?
>
> I would just tcpdump on one of the source machines to find out.
>
> ~Marcin

--
Sincerely yours, Pavel Odintsov