Bugtraq mailing list archives
Re: Port 0 oddities
From: S.Halsall () ERIS DERA GOV UK (Simon Halsall)
Date: Wed, 1 Jul 1998 18:04:28 +0100
I've been off bugtraq for a couple of weeks but I just saw these messages. I have recently been putting logging into our cisco's rule set so that I can see what traffic is being passed through our network. I spotted traffic that appeared to be missed by the rules as it had src port 0 and dst port 0. Further investigation showed that it was ssh that was causing this. I have looked at the packets using tcpdump and they look find and what I would expect but the cisco is still reporting packets from 0 to 0. I will trawl back through the logs to find out if we have had any other anomalies with port 0 before but I don't recall any. The rules for allowing port 22 through seem to work fine for the initial connect but then it over to port 0. We are using IOS 11.2. Anyone else seen anythin odd like this ? Simon Halsall In message <199806182027.PAA04739 () home dragondata com>, Kevin Day <toasty () HOME DRAGONDATA COM> writes:
After reading the inital post on Bugtraq concerning DoS attacks involving port zero (and being basically a paretty paranoid person), I took a chance that it was not a stack-disabling attack, and dropped in some ip firewalling rules (linux, stable kernel) to block and log connections from any machine using source port 0, or connections from any machine, destined to port 0 here. As bizarre as it sounds, apparently someone IS up to something, since I've now logged this many blocked connections thus far. I'm posting this because the inital post made the statement that these incidences involved imapd (port 143) and as we can see here, it's not limited to just that one service. I'd love sit and wait with a packet dumper to have more information before speaking, but I'm about to go to San Francisco for several days, and simply don't have the time. :/ Possibly this confirmation of the rumor will get more people interested in hunting down whatever the heck this is...I'm seeing 200-5000 packets a day, either with the source 0 or the dest 0. They're usually source 0, then a well-known port #... (sendmail, named, whatever). Nothing has crashed yet, and I haven't seen any exploits, or any trace of an exploit yet. At first I just logged the packets, now i'm dropping them, since apparently people *think* they can crash something with it. Also, for those interested in what attempted exploits are being used most often... In a 7 day period: 3171 packets with a source address of one of my class C's. 12 packets from the 10.x.x.x reserved ranges 732 packets from 172. reserved ranges 56 packets from 192.168.x.x reserved ranged 18 packets with a destination address of x.x.x.255 3 packets with a destination address of x.x.x.0 3095 packets to port 139, when there's no reason for anyone to connect there. 4390 packets with a source port 0 204 packets with a destination port 0 431 packets to port 111, when there's not reason for anyone to connect there. I'm leaving out other stuff i'm filtering, so I don't give the entire world my list of filters, but it's interesting... Kevin
Current thread:
- Re: Port 0 oddities Simon Halsall (Jul 01)
- Re: Port 0 oddities Chris Fletcher (Jul 02)
- Re: Port 0 oddities Niels Bakker (Jul 02)