Hello! Just add --syn flag:
12:51:51.150085 IP 192.168.0.127.14628 > 216.239.34.21.0: Flags [S], seq 680218921, win 512, length 0 12:51:51.150092 IP 192.168.0.127.14629 > 216.239.34.21.0: Flags [S], seq 2073100941, win 512, length 0 12:51:51.150100 IP 192.168.0.127.14630 > 216.239.34.21.0: Flags [S], seq 1003157405, win 512, length 0 12:51:51.150108 IP 192.168.0.127.14631 > 216.239.34.21.0: Flags [S], seq 466773687, win 512, length 0 12:51:51.150115 IP 192.168.0.127.14632 > 216.239.34.21.0: Flags [S], seq 338869897, win 512, length 0 12:51:51.150123 IP 192.168.0.127.14633 > 216.239.34.21.0: Flags [S], seq 1513724122, win 512, length 0 12:51:51.150130 IP 192.168.0.127.14634 > 216.239.34.21.0: Flags [S], seq 1971827612, win 512, length 0 12:51:51.150138 IP 192.168.0.127.14635 > 216.239.34.21.0: Flags [S], seq 168197290, win 512, length 0 12:51:51.150146 IP 192.168.0.127.14636 > 216.239.34.21.0: Flags [S], seq 1079714921, win 512, length 0 12:51:51.150153 IP 192.168.0.127.14637 > 216.239.34.21.0: Flags [S], seq 1634213253, win 512, length 0 12:51:51.150161 IP 192.168.0.127.14638 > 216.239.34.21.0: Flags [S], seq 1220755012, win 512, length 0 12:51:51.150168 IP 192.168.0.127.14639 > 216.239.34.21.0: Flags [S], seq 351031228, win 512, length 0 12:51:51.150176 IP 192.168.0.127.14640 > 216.239.34.21.0: Flags [S], seq 286599236, win 512, length 0 12:51:51.150184 IP 192.168.0.127.14641 > 216.239.34.21.0: Flags [S], seq 125907752, win 512, length 0 hping3 --flood --syn host.com On Wed, Jun 17, 2015 at 12:50 PM, Maqbool Hashim <[email protected]> wrote: > Hmm, no flags set in your output though? > > ________________________________________ > From: Pavel Odintsov <[email protected]> > Sent: 17 June 2015 10:44 > To: Maqbool Hashim > Cc: Marcin Cieslak; [email protected] > Subject: Re: Fkiws with destination port 0 and TCP SYN flag set > > Hello! > > Looks like it's silly hping3 flood: > > 12:43:08.961024 IP 192.168.0.127.10562 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961031 IP 192.168.0.127.10563 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961039 IP 192.168.0.127.10564 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961046 IP 192.168.0.127.10565 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961054 IP 192.168.0.127.10566 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961062 IP 192.168.0.127.10567 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961070 IP 192.168.0.127.10568 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961077 IP 192.168.0.127.10569 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961085 IP 192.168.0.127.10570 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961093 IP 192.168.0.127.10571 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961101 IP 192.168.0.127.10572 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961108 IP 192.168.0.127.10573 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961116 IP 192.168.0.127.10574 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961123 IP 192.168.0.127.10575 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961131 IP 192.168.0.127.10576 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961139 IP 192.168.0.127.10577 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961146 IP 192.168.0.127.10578 > 216.239.32.21.0: Flags [.], > win 512, length 0 > 12:43:08.961154 IP 192.168.0.127.10579 > 216.239.32.21.0: Flags [.], > win 512, length 0 > > Just try: > hping3 --flood target_host. > > On Wed, Jun 17, 2015 at 12:34 PM, Maqbool Hashim <[email protected]> wrote: >> Hi, >> >> The destination host is sending an ACK+RST with the source port set to zero. >> The destination IP is always one of the two hosts that are generating the >> SYN packets with a destination port of 0. The destination port however is >> hard to match up to a source port in the original SYN packet due to the fact >> that we don't have all the packets. >> >> It's actually going to be difficult to get the access and procedural sign >> off etc. to run tcpdump on the machines involved. What might be easier is >> to set up a span port for the hosts access port on the switch and grab that >> via the collector laptop I have. >> >> Thanks, >> >> MH >> >> ________________________________________ >> From: Marcin Cieslak <[email protected]> >> Sent: 17 June 2015 10:30 >> To: Maqbool Hashim >> Cc: [email protected] >> Subject: Re: Fkiws with destination port 0 and TCP SYN flag set >> >> On Wed, 17 Jun 2015, Maqbool Hashim wrote: >> >>> It is always the same destination servers and in normal operations >>> these source and destination hosts do have a bunch of legitimate flows >>> between them. I was leaning towards it being a reporting artifact, >>> but it's interesting that there are a whole set of Ack Reset packets >>> from the destination hosts with a source port of 0 also. >> >> So the destination host is sending ACK+RST with the *source* port >> set to zero, or the *destination* port? >> >>> Does this not indicate that it probably isn't a reporting artifact? >> >> I would just tcpdump on one of the source machines to find out. >> >> ~Marcin > > > > -- > Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov
