Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port 0 oddities

From: toasty () HOME DRAGONDATA COM (Kevin Day)
Date: Thu, 18 Jun 1998 15:27:54 -0500


After reading the inital post on Bugtraq concerning DoS attacks involving
port zero (and being basically a paretty paranoid person), I took a chance
that it was not a stack-disabling attack, and dropped in some ip
firewalling rules (linux, stable kernel) to block and log connections from
any machine using source port 0, or connections from any machine, destined
to port 0 here.  As bizarre as it sounds, apparently someone IS up to
something, since I've now logged this many blocked connections thus far.
I'm posting this because the inital post made the statement that these
incidences involved imapd (port 143)  and as we can see here, it's not
limited to just that one service.  I'd love sit and wait with a packet
dumper to have more information before speaking, but I'm about to go to
San Francisco for several days, and simply don't have the time.  :/
Possibly this confirmation of the rumor will get more people interested in
hunting down whatever the heck this is...



I'm seeing 200-5000 packets a day, either with the source 0 or the dest 0.
They're usually source 0, then a well-known port #... (sendmail, named,
whatever). Nothing has crashed yet, and I haven't seen any exploits, or any
trace of an exploit yet. At first I just logged the packets, now i'm
dropping them, since apparently people *think* they can crash something with
it.

Also, for those interested in what attempted exploits are being used most
often...

In a 7 day period:

3171 packets with a source address of one of my class C's.
12 packets from the 10.x.x.x reserved ranges
732 packets from 172. reserved ranges
56 packets from 192.168.x.x reserved ranged
18 packets with a destination address of x.x.x.255
3 packets with a destination address of x.x.x.0
3095 packets to port 139, when there's no reason for anyone to connect
there.
4390 packets with a source port 0
204 packets with a destination port 0
431 packets to port 111, when there's not reason for anyone to connect
there.


I'm leaving out other stuff i'm filtering, so I don't give the entire world
my list of filters, but it's interesting...

Kevin
Previous By Date Next
Previous By Thread Next

Current thread: