Fkiws with destination port 0 and TCP SYN flag set

Maqbool Hashim maqbool at madbull.info
Wed Jun 17 14:15:01 UTC 2015


Hi,

I'm investigating some of the protocols and will start looking at the processes on the machines.  Someone else rightly pointed out this getting off topic for NANOG, so thanks to everyone that responded.

Regards,

MH  

________________________________________
From: NANOG <nanog-bounces at nanog.org> on behalf of Mark Milhollan <mlm at pixelgate.net>
Sent: 17 June 2015 15:05
To: NANOG list
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set

On Wed, 17 Jun 2015, Maqbool Hashim wrote:

>Finally I don't see how it could be, but be interested to hear peoples
>thoughts, no legitimate application could be generating this traffic
>could it?  I mean I don't see what use an application could make of
>such a TCP conversation.  Discarding network analysis etc.  This
>machine runs a whole host of proprietary control system protocols, so
>haven't discarded the possibility totally- but I just can't see what an
>application protocol could find useful in a bunch of reset + ack
>packets being received from the destination hosts.

Okay, setting aside the malicious possibilities, it may be that someone
felt they needed something like ping but without the need for a raw
socket.  I would worry about such code as there is usually sufficient
proof the host is alive due to ongoing or new sessions.  Still, in
process control it may be reasonable to check aliveness if, for example,
there has been no normal activity for a seemingly small period of time,
e.g., 50ms.  Such a test is only sufficient to prove that the TCP stack
will respond, not the programs (which is where aliveness within the
protocols is far more useful, classically PING and PONG).

Or perhaps a fence-post bug, e.g., a program is doing its own port
selection with a max of 65535 where it accidentally uses max+1 which for
a 16 bit unsigned value turns out to be 0, i.e., fixing the port number
(setting it to the min value) after it is used rather than before.


/mark



More information about the NANOG mailing list