Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Port 0 oddities
From: toasty () HOME DRAGONDATA COM (Kevin Day)
Date: Thu, 18 Jun 1998 15:27:54 -0500

After reading the inital post on Bugtraq concerning DoS attacks involving
port zero (and being basically a paretty paranoid person), I took a chance
that it was not a stack-disabling attack, and dropped in some ip
firewalling rules (linux, stable kernel) to block and log connections from
any machine using source port 0, or connections from any machine, destined
to port 0 here.  As bizarre as it sounds, apparently someone IS up to
something, since I've now logged this many blocked connections thus far.
I'm posting this because the inital post made the statement that these
incidences involved imapd (port 143)  and as we can see here, it's not
limited to just that one service.  I'd love sit and wait with a packet
dumper to have more information before speaking, but I'm about to go to
San Francisco for several days, and simply don't have the time.  :/
Possibly this confirmation of the rumor will get more people interested in
hunting down whatever the heck this is...

I'm seeing 200-5000 packets a day, either with the source 0 or the dest 0.
They're usually source 0, then a well-known port #... (sendmail, named,
whatever). Nothing has crashed yet, and I haven't seen any exploits, or any
trace of an exploit yet. At first I just logged the packets, now i'm
dropping them, since apparently people *think* they can crash something with

Also, for those interested in what attempted exploits are being used most

In a 7 day period:

3171 packets with a source address of one of my class C's.
12 packets from the 10.x.x.x reserved ranges
732 packets from 172. reserved ranges
56 packets from 192.168.x.x reserved ranged
18 packets with a destination address of x.x.x.255
3 packets with a destination address of x.x.x.0
3095 packets to port 139, when there's no reason for anyone to connect
4390 packets with a source port 0
204 packets with a destination port 0
431 packets to port 111, when there's not reason for anyone to connect

I'm leaving out other stuff i'm filtering, so I don't give the entire world
my list of filters, but it's interesting...


  By Date           By Thread  

Current thread:
  • Port 0 oddities Dagmar d'Surreal (Jun 17)
    • Re: Port 0 oddities Kevin Day (Jun 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]