Hello! Looks like it's silly hping3 flood:
12:43:08.961024 IP 192.168.0.127.10562 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961031 IP 192.168.0.127.10563 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961039 IP 192.168.0.127.10564 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961046 IP 192.168.0.127.10565 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961054 IP 192.168.0.127.10566 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961062 IP 192.168.0.127.10567 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961070 IP 192.168.0.127.10568 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961077 IP 192.168.0.127.10569 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961085 IP 192.168.0.127.10570 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961093 IP 192.168.0.127.10571 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961101 IP 192.168.0.127.10572 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961108 IP 192.168.0.127.10573 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961116 IP 192.168.0.127.10574 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961123 IP 192.168.0.127.10575 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961131 IP 192.168.0.127.10576 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961139 IP 192.168.0.127.10577 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961146 IP 192.168.0.127.10578 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961154 IP 192.168.0.127.10579 > 216.239.32.21.0: Flags [.], win 512, length 0 Just try: hping3 --flood target_host. On Wed, Jun 17, 2015 at 12:34 PM, Maqbool Hashim <[email protected]> wrote: > Hi, > > The destination host is sending an ACK+RST with the source port set to zero. > The destination IP is always one of the two hosts that are generating the SYN > packets with a destination port of 0. The destination port however is hard > to match up to a source port in the original SYN packet due to the fact that > we don't have all the packets. > > It's actually going to be difficult to get the access and procedural sign off > etc. to run tcpdump on the machines involved. What might be easier is to set > up a span port for the hosts access port on the switch and grab that via the > collector laptop I have. > > Thanks, > > MH > > ________________________________________ > From: Marcin Cieslak <[email protected]> > Sent: 17 June 2015 10:30 > To: Maqbool Hashim > Cc: [email protected] > Subject: Re: Fkiws with destination port 0 and TCP SYN flag set > > On Wed, 17 Jun 2015, Maqbool Hashim wrote: > >> It is always the same destination servers and in normal operations >> these source and destination hosts do have a bunch of legitimate flows >> between them. I was leaning towards it being a reporting artifact, >> but it's interesting that there are a whole set of Ack Reset packets >> from the destination hosts with a source port of 0 also. > > So the destination host is sending ACK+RST with the *source* port > set to zero, or the *destination* port? > >> Does this not indicate that it probably isn't a reporting artifact? > > I would just tcpdump on one of the source machines to find out. > > ~Marcin -- Sincerely yours, Pavel Odintsov
