[181122] in North American Network Operators' Group
Re: Fkiws with destination port 0 and TCP SYN flag set
daemon@ATHENA.MIT.EDU (Maqbool Hashim)
Wed Jun 17 05:24:02 2015
X-Original-To: nanog@nanog.org
From: Maqbool Hashim <maqbool@madbull.info>
To: Roland Dobbins <rdobbins@arbor.net>, "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 17 Jun 2015 09:23:55 +0000
In-Reply-To: <93440109-3E24-419F-9110-EF43FDCF418E@arbor.net>
DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR02MB0732;
H:HE1PR02MB0732.eurprd02.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: madbull.info
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2015 09:23:55.3504 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f57aeaa8-dc7e-4af4-977d-387320a70ed9
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR02MB0732
X-BeenThere: nanog@nanog.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: North American Network Operators Group <nanog.nanog.org>
List-Unsubscribe: <http://mailman.nanog.org/mailman/options/nanog>,
<mailto:nanog-request@nanog.org?subject=unsubscribe>
List-Archive: <http://mailman.nanog.org/pipermail/nanog/>
List-Post: <mailto:nanog@nanog.org>
List-Help: <mailto:nanog-request@nanog.org?subject=help>
List-Subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,
<mailto:nanog-request@nanog.org?subject=subscribe>
Errors-To: nanog-bounces@nanog.org
Sender: "NANOG" <nanog-bounces@nanog.org>
Hi
Thanks for the response. There are lots of different source ports all abov=
e 10,000 (e.g. 42628,42927,39050). It is always two redhat machines genera=
ting the traffic, can't be 100% sure due to the sampling but pretty sure th=
e capture has been running for 24 hours or so. It is always the same des=
tination servers and in normal operations these source and destination host=
s do have a bunch of legitimate flows between them. I was leaning towards =
it being a reporting artifact, but it's interesting that there are a whole =
set of Ack Reset packets from the destination hosts with a source port of 0=
also. Does this not indicate that it probably isn't a reporting artifact?
Maybe I need to setup collectors and span ports on all the switches involve=
d to get to the bottom of this. Just feeling like we need to look at *all*=
the packets not the sample!
Regards,
MH
________________________________________
From: NANOG <nanog-bounces@nanog.org> on behalf of Roland Dobbins <rdobbins=
@arbor.net>
Sent: 17 June 2015 10:07
To: nanog@nanog.org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
On 17 Jun 2015, at 10:44, Maqbool Hashim wrote:
> It was stated in that thread that netflow reports source/dest port 0
> for non-initial fragments.
Fragmentation in this context only applies to UDP packets.
If the destination of a TCP SYN is being reported as 0 (what's the
source port?), either it's a reporting artifact of some kind or in fact
a SYN destined to TCP/0 (we see this with SYN-floods, sometimes, as well
as with attacks attempting to bypass ACL/firewall rules and related to
compromise).
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
