Re: Port 0 oddities

[S.Halsall () ERIS DERA GOV UK (Simon Halsall)]

I've been off bugtraq for a couple of weeks but I just saw these messages. I
have recently been putting logging into our cisco's rule set so that I can see
what traffic is being passed through our network. I spotted traffic that
appeared to be missed by the rules as it had src port 0 and dst port 0.

Further investigation showed that it was ssh that was causing this. I have
looked at the packets using tcpdump and they look find and what I would expect
but the cisco is still reporting packets from 0 to 0.

I will trawl back through the logs to find out if we have had any other
anomalies with port 0 before but I don't recall any. The rules for allowing
port 22 through seem to work fine for the initial connect but then it over to
port 0. We are using IOS 11.2. Anyone else seen anythin odd like this ?

Simon Halsall


In message <199806182027.PAA04739 () home dragondata com>,
        Kevin Day <toasty () HOME DRAGONDATA COM> writes:

> > After reading the inital post on Bugtraq concerning DoS attacks involving
> > port zero (and being basically a paretty paranoid person), I took a chance
> > that it was not a stack-disabling attack, and dropped in some ip
> > firewalling rules (linux, stable kernel) to block and log connections from
> > any machine using source port 0, or connections from any machine, destined
> > to port 0 here.  As bizarre as it sounds, apparently someone IS up to
> > something, since I've now logged this many blocked connections thus far.
> > I'm posting this because the inital post made the statement that these
> > incidences involved imapd (port 143)  and as we can see here, it's not
> > limited to just that one service.  I'd love sit and wait with a packet
> > dumper to have more information before speaking, but I'm about to go to
> > San Francisco for several days, and simply don't have the time.  :/
> > Possibly this confirmation of the rumor will get more people interested in
> > hunting down whatever the heck this is...
>
> I'm seeing 200-5000 packets a day, either with the source 0 or the dest 0.
> They're usually source 0, then a well-known port #... (sendmail, named,
> whatever). Nothing has crashed yet, and I haven't seen any exploits, or any
> trace of an exploit yet. At first I just logged the packets, now i'm
> dropping them, since apparently people *think* they can crash something with
> it.
>
> Also, for those interested in what attempted exploits are being used most
> often...
>
> In a 7 day period:
>
> 3171 packets with a source address of one of my class C's.
> 12 packets from the 10.x.x.x reserved ranges
> 732 packets from 172. reserved ranges
> 56 packets from 192.168.x.x reserved ranged
> 18 packets with a destination address of x.x.x.255
> 3 packets with a destination address of x.x.x.0
> 3095 packets to port 139, when there's no reason for anyone to connect
> there.
> 4390 packets with a source port 0
> 204 packets with a destination port 0
> 431 packets to port 111, when there's not reason for anyone to connect
> there.
>
>
> I'm leaving out other stuff i'm filtering, so I don't give the entire world
> my list of filters, but it's interesting...
>
> Kevin