Hello! Just add --syn flag: 12:51:51.150085 IP 192.168.0.127.14628 > 216.239.34.21.0: Flags [S], seq 680218921, win 512, length 0 12:51:51.150092 IP 192.168.0.127.14629 > 216.239.34.21.0: Flags [S], seq 2073100941, win 512, length 0 12:51:51.150100 IP 192.168.0.127.14630 > 216.239.34.21.0: Flags [S], seq 1003157405, win 512, length 0 12:51:51.150108 IP 192.168.0.127.14631 > 216.239.34.21.0: Flags [S], seq 466773687, win 512, length 0 12:51:51.150115 IP 192.168.0.127.14632 > 216.239.34.21.0: Flags [S], seq 338869897, win 512, length 0 12:51:51.150123 IP 192.168.0.127.14633 > 216.239.34.21.0: Flags [S], seq 1513724122, win 512, length 0 12:51:51.150130 IP 192.168.0.127.14634 > 216.239.34.21.0: Flags [S], seq 1971827612, win 512, length 0 12:51:51.150138 IP 192.168.0.127.14635 > 216.239.34.21.0: Flags [S], seq 168197290, win 512, length 0 12:51:51.150146 IP 192.168.0.127.14636 > 216.239.34.21.0: Flags [S], seq 1079714921, win 512, length 0 12:51:51.150153 IP 192.168.0.127.14637 > 216.239.34.21.0: Flags [S], seq 1634213253, win 512, length 0 12:51:51.150161 IP 192.168.0.127.14638 > 216.239.34.21.0: Flags [S], seq 1220755012, win 512, length 0 12:51:51.150168 IP 192.168.0.127.14639 > 216.239.34.21.0: Flags [S], seq 351031228, win 512, length 0 12:51:51.150176 IP 192.168.0.127.14640 > 216.239.34.21.0: Flags [S], seq 286599236, win 512, length 0 12:51:51.150184 IP 192.168.0.127.14641 > 216.239.34.21.0: Flags [S], seq 125907752, win 512, length 0 hping3 --flood --syn host.com On Wed, Jun 17, 2015 at 12:50 PM, Maqbool Hashim <maqbool@madbull.info> wrote:
Hmm, no flags set in your output though?
________________________________________ From: Pavel Odintsov <pavel.odintsov@gmail.com> Sent: 17 June 2015 10:44 To: Maqbool Hashim Cc: Marcin Cieslak; nanog@nanog.org Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
Hello!
Looks like it's silly hping3 flood:
12:43:08.961024 IP 192.168.0.127.10562 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961031 IP 192.168.0.127.10563 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961039 IP 192.168.0.127.10564 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961046 IP 192.168.0.127.10565 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961054 IP 192.168.0.127.10566 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961062 IP 192.168.0.127.10567 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961070 IP 192.168.0.127.10568 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961077 IP 192.168.0.127.10569 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961085 IP 192.168.0.127.10570 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961093 IP 192.168.0.127.10571 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961101 IP 192.168.0.127.10572 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961108 IP 192.168.0.127.10573 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961116 IP 192.168.0.127.10574 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961123 IP 192.168.0.127.10575 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961131 IP 192.168.0.127.10576 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961139 IP 192.168.0.127.10577 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961146 IP 192.168.0.127.10578 > 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961154 IP 192.168.0.127.10579 > 216.239.32.21.0: Flags [.], win 512, length 0
Just try: hping3 --flood target_host.
On Wed, Jun 17, 2015 at 12:34 PM, Maqbool Hashim <maqbool@madbull.info> wrote:
Hi,
The destination host is sending an ACK+RST with the source port set to zero. The destination IP is always one of the two hosts that are generating the SYN packets with a destination port of 0. The destination port however is hard to match up to a source port in the original SYN packet due to the fact that we don't have all the packets.
It's actually going to be difficult to get the access and procedural sign off etc. to run tcpdump on the machines involved. What might be easier is to set up a span port for the hosts access port on the switch and grab that via the collector laptop I have.
Thanks,
MH
________________________________________ From: Marcin Cieslak <saper@saper.info> Sent: 17 June 2015 10:30 To: Maqbool Hashim Cc: nanog@nanog.org Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
On Wed, 17 Jun 2015, Maqbool Hashim wrote:
It is always the same destination servers and in normal operations these source and destination hosts do have a bunch of legitimate flows between them. I was leaning towards it being a reporting artifact, but it's interesting that there are a whole set of Ack Reset packets from the destination hosts with a source port of 0 also.
So the destination host is sending ACK+RST with the *source* port set to zero, or the *destination* port?
Does this not indicate that it probably isn't a reporting artifact?
I would just tcpdump on one of the source machines to find out.
~Marcin
-- Sincerely yours, Pavel Odintsov
-- Sincerely yours, Pavel Odintsov