Short Version: Has anyone noticed their Sophos Central endpoint clients on Macs generating out of state traffic, specifically packets with the FIN-ACK packet set?
Long Version: For the past two weeks or so, we have noticed "out of state" traffic volumes on our internal firewalls increasing dramatically. This morning, 70% of the traffic on the firewalls that protect our workstations is "out of state". The traffic is specifically FIN-ACK traffic. Our first thought was that we might have a something malicious going on, and what we were seeing was our clients participating in a DDOS using FIN-ACK flooding.
Upon further examination, we noticed that the traffic was being generated by the Sophos Web Intelligence service on, as far as we can tell, only OSX machines. The volume per machine seemed to vary, with some machines being extremely chatty while others were not. The most affected machines seemed to also have issues accessing the web reliably.
I opened a ticket with Sophos, and I got the strangest response. The response was that this traffic was expected, that because the traffic was to trusted destinations, that the FIN-ACK flag was set.
Now for those of you who work with networks regularly, and look at packet captures, a system not generating a TCP connection SYN when initiating a system isn't really something that should happen, unless you are attacking something or scanning something. FIN-ACK traffic is used as a volume based attack. My firewall blocks this traffic by default because it is out of state.
I've requested that engineering or development of whomever confirm what the tech is telling me, because I don't believe it. I think something is broken and that they are just trying to close a ticket that is too hard.
Is anyone out there seeing this? The easiest symptom is FIN-ACK traffic coming from Mac devices with the Sophos Central AV client installed.
This thread was automatically locked due to age.
