Re: Fkiws with destination port 0 and TCP SYN flag set

[Maqbool Hashim <maqbool () madbull info>]

So, progressed to grabbing full packet dumps via monitor ports.  This confirmed that indeed the two hosts in question 
are generating traffic to the same four destinations with a destination port of zero.  Now that I have a full packet 
dump I see reset + ack packets coming back from source port 0 for every single one of the initial SYN packets.  Also it 
does look like a "scan" of some sort as the source port numbers are increasing by two or three every time and roughly 
3-4 SYN packets per second being sent.  I am guessing this would be process binding to the next available TCP port on 
the source machine.

As far as I can tell to progress the analysis I need to move to doing forensics on the host itself.  It could be (as 
Pavel pointed out) be a utility like hping3 that someone has left running and forgotten about.  On the other hand it 
could be something more malicious I just don't know at the moment.  Any advice on this aspect would be great, unless 
considered off topic.

Finally I don't see how it could be, but be interested to hear peoples thoughts, no legitimate application could be 
generating this traffic could it?  I mean I don't see what use an application could make of such a TCP conversation.  
Discarding network analysis etc.  This machine runs a whole host of proprietary control system protocols, so haven't 
discarded the possibility totally- but I just can't see what an application protocol could find useful in a bunch of 
reset + ack packets being received from the destination hosts.

Regards,

MH

________________________________________
From: NANOG <nanog-bounces+maqbool=madbull.info () nanog org> on behalf of Maqbool Hashim <maqbool () madbull info>
Sent: 17 June 2015 10:54
To: Roland Dobbins; nanog () nanog org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set

Agreed.  Might see if I can get netstat -antp output from the operators at some point though.

I will start with one of the hosts, looks like the whole flow capturing exercise for this LAN will need to be done 
using multiple laptops connected to the different access ports for the hosts.  No RSPAN support on these switches and 
no netflow :(

________________________________________
From: NANOG <nanog-bounces () nanog org> on behalf of Roland Dobbins <rdobbins () arbor net>
Sent: 17 June 2015 10:44
To: nanog () nanog org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set

On 17 Jun 2015, at 11:34, Maqbool Hashim wrote:

> What might be easier is to set up a span port for the hosts access
> port on the switch and grab that via the collector laptop I have.

It's better to collect as much information you have without perturbing
the systems involved, anyways.

-----------------------------------
Roland Dobbins <rdobbins () arbor net>