[181121] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Fkiws with destination port 0 and TCP SYN flag set

daemon@ATHENA.MIT.EDU (Roland Dobbins)
Wed Jun 17 05:08:04 2015

X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 17 Jun 2015 11:07:58 +0200
In-Reply-To: <HE1PR02MB07321F1F2D3770D215208373D6A60@HE1PR02MB0732.eurprd02.prod.outlook.com>
Errors-To: nanog-bounces@nanog.org

On 17 Jun 2015, at 10:44, Maqbool Hashim wrote:

> It was stated in that thread that netflow reports source/dest port 0 
> for non-initial fragments.

Fragmentation in this context only applies to UDP packets.

If the destination of a TCP SYN is being reported as 0 (what's the 
source port?), either it's a reporting artifact of some kind or in fact 
a SYN destined to TCP/0 (we see this with SYN-floods, sometimes, as well 
as with attacks attempting to bypass ACL/firewall rules and related to 
compromise).

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[181121] in North American Network Operators' Group

Re: Fkiws with destination port 0 and TCP SYN flag set

daemon@ATHENA.MIT.EDU (Roland Dobbins)Wed Jun 17 05:08:04 2015

daemon@ATHENA.MIT.EDU (Roland Dobbins)
Wed Jun 17 05:08:04 2015