The Xmas Tree Violation in Flow Analytics is actually looking for a packet known as Christmas Tree Packet. The Christmas Tree Packet is set for any protocol that is being used and it is commonly known as “Kamikaze” packets, lamp test segment or nastygrams.

When a Christmas Tree Packet is sent for scanning purposes the TCP flags are set as FIN, URG and PSH. Some firewall security policies only check packets with the SYN flags set and since SYN flags are not used in a Christmas Tree Packet, the firewall will not detect it and the packet will slide right through without any detection and reach its targeted host.  Christmas Tree packet can be used for Dos attacks as well because the packets require more processing time from router and host than a regular packet.

Xmas Tree Violation in Flow Axmas1nalytics helps prevent Dos attacks, network scanning and other reconnaissance on your network. When you receive Xmas Tree Violations I would look into it because it likely that some sort of reconnaissance activity is on your network.

Jamie Lee author pic

Jamie Lee

Jamie Lee is the west coast Regional Manager at Plixer. He works with prospects to solve the unique needs of their network and visits existing customers to assist with training. He enjoys developing new partnerships and building long-lasting relationships with his clients. Jamie loves the outdoors and his favorite hobbies include fishing, hiking, and football.


Leave a Reply