Educause Security Discussion mailing list archives
Re: TCP port 0
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Wed, 24 Nov 2004 11:41:50 -0500
At 10:05 AM 11/24/2004 -0600, John Kristoff wrote:
On Wed, 24 Nov 2004 10:21:37 -0500 Bernie Timberman <BTIMBERMAN () DEPAUW EDU> wrote:We have been seeing a lot of traffic lately on tcp port 0. Anyone else seeing traffic on that port and is anyone blockong that port?Depending on how you are 'seeing' the traffic, much of it may only be fragments of a larger TCP packet using ports not know to that fragment. Data retrieved via network flows (e.g. Netflow) is typically reported this way. I do not know of any legitimate use of TCP port 0, but port 0 is widely used in UDP-based applications. Particularly the source port for things like streaming media. UDP source port 0 is specifically legitimate per RFC 768 so be careful what you filter.
I ran a quick check of a darknet, and saw 12 hits on TCP/0 out of 9.17 million total hits, and those TCP/0 hits appeared to be backscatter from source-spoofed DOS activity rather than true scans at TCP/0. Scanning TCP/0 can be used to fingerprint systems[1]. I'd be interested in off-list detail about the observations. Doug Pearson Research and Education Networking ISAC 24x7 Watch Desk: +1(317)278-6630, ren-isac () iu edu http://www.ren-isac.net [1] http://www.networkpenetration.com/port0.html -o0o- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- TCP port 0 Bernie Timberman (Nov 24)
- <Possible follow-ups>
- Re: TCP port 0 John Kristoff (Nov 24)
- Re: TCP port 0 Doug Pearson (Nov 24)