Security Incidents: Re: Source port 0 and from a 0 network to boot?

[kurt <kurta59 () gmail com>]

0 may be a legit first octet but more realistically this PCs address
was actually 10.153.189.110.  So the source addresses we knew where
spoofed.  I'm wondering if this looks like any known
bot/trojan/whatever?


this was a definate attempt to DoS the destination, too bad it DoS'd a
local network.  it may have been the writer of this
bot/trojan/whatever had assumed the exploited PC would be closer to a
perimeter (ie: home broadband) and not deep within a network?

the box was taken off-line and by now i'm guessing it's been rebuilt <bummer> 

forensics?  probably not...... oh well.

On 11 Jun 2005 19:08:31 -0000, junkma1l () cox net <junkma1l () cox net> wrote:
> The destination website advises they're experiencing 'server problems'.  I would have to guess it's a trojan or 
> botnet DDoS/SYN flood attack.
>
> As far as the port 0 traffic, a quote from an old Neohapisis archive "Using TCP port 0 is a common tactic to avoid 
> some badly written packet
> filters.... Some net admins fail to realize that there is a port 0,
> thinking that the lowest port number is 1, and thus don't account for it
> when writing firewall rules.
>
> An attacker gains the advantage of possibly bypassing firewall rules, or
> badly written intrusion sensors.
>
> It should also be noted that very, very, old versions of DNS were done on
> port 0, but that wasn't done using TCP."
>
> Probably just disguising the attacking host (though not very well) to slow down the filtering/blocking of attackers.