Bugtraq mailing list archives
Re: Port 0 oddities
From: toasty () HOME DRAGONDATA COM (Kevin Day)
Date: Thu, 18 Jun 1998 15:27:54 -0500
After reading the inital post on Bugtraq concerning DoS attacks involving port zero (and being basically a paretty paranoid person), I took a chance that it was not a stack-disabling attack, and dropped in some ip firewalling rules (linux, stable kernel) to block and log connections from any machine using source port 0, or connections from any machine, destined to port 0 here. As bizarre as it sounds, apparently someone IS up to something, since I've now logged this many blocked connections thus far. I'm posting this because the inital post made the statement that these incidences involved imapd (port 143) and as we can see here, it's not limited to just that one service. I'd love sit and wait with a packet dumper to have more information before speaking, but I'm about to go to San Francisco for several days, and simply don't have the time. :/ Possibly this confirmation of the rumor will get more people interested in hunting down whatever the heck this is...
I'm seeing 200-5000 packets a day, either with the source 0 or the dest 0. They're usually source 0, then a well-known port #... (sendmail, named, whatever). Nothing has crashed yet, and I haven't seen any exploits, or any trace of an exploit yet. At first I just logged the packets, now i'm dropping them, since apparently people *think* they can crash something with it. Also, for those interested in what attempted exploits are being used most often... In a 7 day period: 3171 packets with a source address of one of my class C's. 12 packets from the 10.x.x.x reserved ranges 732 packets from 172. reserved ranges 56 packets from 192.168.x.x reserved ranged 18 packets with a destination address of x.x.x.255 3 packets with a destination address of x.x.x.0 3095 packets to port 139, when there's no reason for anyone to connect there. 4390 packets with a source port 0 204 packets with a destination port 0 431 packets to port 111, when there's not reason for anyone to connect there. I'm leaving out other stuff i'm filtering, so I don't give the entire world my list of filters, but it's interesting... Kevin
Current thread:
- Port 0 oddities Dagmar d'Surreal (Jun 17)
- Re: Port 0 oddities Kevin Day (Jun 18)