[181131] in North American Network Operators' Group
Re: Fkiws with destination port 0 and TCP SYN flag set
daemon@ATHENA.MIT.EDU (Maqbool Hashim)
Wed Jun 17 07:56:09 2015
X-Original-To: nanog@nanog.org
From: Maqbool Hashim <maqbool@madbull.info>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 17 Jun 2015 11:56:04 +0000
In-Reply-To: <HE1PR02MB073233FA68B23634BC0D4AFED6A60@HE1PR02MB0732.eurprd02.prod.outlook.com>
Errors-To: nanog-bounces@nanog.org
So, progressed to grabbing full packet dumps via monitor ports. This confi=
rmed that indeed the two hosts in question are generating traffic to the sa=
me four destinations with a destination port of zero. Now that I have a fu=
ll packet dump I see reset + ack packets coming back from source port 0 for=
every single one of the initial SYN packets. Also it does look like a "sc=
an" of some sort as the source port numbers are increasing by two or three =
every time and roughly 3-4 SYN packets per second being sent. I am guessin=
g this would be process binding to the next available TCP port on the sourc=
e machine.
As far as I can tell to progress the analysis I need to move to doing foren=
sics on the host itself. It could be (as Pavel pointed out) be a utility l=
ike hping3 that someone has left running and forgotten about. On the other=
hand it could be something more malicious I just don't know at the moment.=
Any advice on this aspect would be great, unless considered off topic.
Finally I don't see how it could be, but be interested to hear peoples thou=
ghts, no legitimate application could be generating this traffic could it? =
I mean I don't see what use an application could make of such a TCP conver=
sation. Discarding network analysis etc. This machine runs a whole host o=
f proprietary control system protocols, so haven't discarded the possibilit=
y totally- but I just can't see what an application protocol could find use=
ful in a bunch of reset + ack packets being received from the destination h=
osts.
Regards,
MH
________________________________________
From: NANOG <nanog-bounces+maqbool=3Dmadbull.info@nanog.org> on behalf of M=
aqbool Hashim <maqbool@madbull.info>
Sent: 17 June 2015 10:54
To: Roland Dobbins; nanog@nanog.org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
Agreed. Might see if I can get netstat -antp output from the operators at =
some point though.
I will start with one of the hosts, looks like the whole flow capturing exe=
rcise for this LAN will need to be done using multiple laptops connected to=
the different access ports for the hosts. No RSPAN support on these switc=
hes and no netflow :(
________________________________________
From: NANOG <nanog-bounces@nanog.org> on behalf of Roland Dobbins <rdobbins=
@arbor.net>
Sent: 17 June 2015 10:44
To: nanog@nanog.org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
On 17 Jun 2015, at 11:34, Maqbool Hashim wrote:
> What might be easier is to set up a span port for the hosts access
> port on the switch and grab that via the collector laptop I have.
It's better to collect as much information you have without perturbing
the systems involved, anyways.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
