nanog mailing list archives
Re: Fkiws with destination port 0 and TCP SYN flag set
From: "Roland Dobbins" <rdobbins () arbor net>
Date: Wed, 17 Jun 2015 11:07:58 +0200
On 17 Jun 2015, at 10:44, Maqbool Hashim wrote:
It was stated in that thread that netflow reports source/dest port 0 for non-initial fragments.
Fragmentation in this context only applies to UDP packets.If the destination of a TCP SYN is being reported as 0 (what's the source port?), either it's a reporting artifact of some kind or in fact a SYN destined to TCP/0 (we see this with SYN-floods, sometimes, as well as with attacks attempting to bypass ACL/firewall rules and related to compromise).
----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Roland Dobbins (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Marcin Cieslak (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Pavel Odintsov (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Pavel Odintsov (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Roland Dobbins (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Roland Dobbins (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Roland Dobbins (Jun 17)