mailing list archives
Re: Outbound Port 0 UDP?
From: Mark Bassett <zosxavius () gmail com>
Date: Mon, 06 Jun 2005 22:06:16 -0400
Windump helped me sort this out.
20:10:22.458929 IP kia.60400 > 18.104.22.168.cust.bluewin.ch.0: UDP,
It appears people have begun using port 0 for a data port for
Bittorrent. Why someone would use a reserved port that does not accept
inbound connections I have no idea unless they do not know what they are
doing. Only the OS should answer to port 0 and different OSes answer
differently, thus allowing fingerprinting. I could see having inbound
port 0 attempts, but why a client would request UDP to port 0 is beyond
me. As such port 0 should be firewalled heavily IMO, unless you would
like to route it to a honeypot. Is it possible to run an unpatched
Windows95 box in the DMZ for a long period of time? I think it would
make a lovely target. Needless to say this recent scare has motivated me
to set up a diskless firewall/router with snort. Since my home LAN is
sitting behind a NAT with every port stealthed I really haven't had much
problems running firewalls on all my machines. The inbound trojan
traffic is troubling however as well with the constant portscans. For
some reason I've noticed a very large spike in the last 6 months of logs
I've had. I guess the zombie networks are on the rise these days.