Security Incidents mailing list archives

Source port 0 and from a 0 network to boot?

From: kurt <kurta59 () gmail com>
Date: Thu, 9 Jun 2005 16:36:14 -0500
We had outbound traffic that had a source port of 0 but the spoofed
source address was random from a 0 'network'.  The sensor picked it up
as having a port 0, but it's the 0 network that is even more odd.

13:00:22  [E]  0.104.124.6     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)

The detection is from a Dragon sensor log detecting traffic spanned on
an internal switch.  We tracked the source and took the Windows PC off
the network.  The PC will be shipped to us from our remote office but
in the mean time does anyone recognize this traffic?  I'm curious
about the spoofed source addresses, 0.x.x.x.  They appear random,
other then the first octet being 0, but this PC choked an internal
router with 50MB of traffic

BTW, our firewall dropped the outbound traffic so it never reached the
destination, 212.25.182.18

12:56:59  [E]  0.200.156.2     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:00  [E]  0.40.187.3      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:05  [E]  0.136.61.7      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:15  [E]  0.168.199.0     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:17  [E]  0.240.6.0       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:18  [E]  0.128.149.3     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:20  [E]  0.240.212.3     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:21  [E]  0.184.191.7     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:22  [E]  0.64.236.0      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:23  [E]  0.224.185.5     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:23  [E]  0.184.234.5     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:25  [E]  0.32.43.4       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:25  [E]  0.152.46.4      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:26  [E]  0.224.241.7     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:27  [E]  0.128.36.3      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:30  [E]  0.192.130.7     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:39  [E]  0.184.83.5      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:45  [E]  0.224.190.4     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:51  [E]  0.208.125.1     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:51  [E]  0.176.228.1     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:56  [E]  0.144.16.3      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:57:57  [E]  0.24.144.6      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:22  [E]  0.248.18.5      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:22  [E]  0.176.207.5     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:23  [E]  0.88.93.0       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:25  [E]  0.136.43.2      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:32  [E]  0.0.29.0        212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:32  [E]  0.136.127.1     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:37  [E]  0.80.26.4       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:37  [E]  0.144.76.4      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:39  [E]  0.224.123.2     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:43  [E]  0.144.34.0      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:46  [E]  0.208.226.4     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:48  [E]  0.168.83.1      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:52  [E]  0.88.154.0      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:53  [E]  0.168.27.4      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:55  [E]  0.128.113.2     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:55  [E]  0.224.181.4     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:58:57  [E]  0.200.223.0     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:59:01  [E]  0.224.114.0     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:59:57  [E]  0.56.92.5       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 12:59:58  [E]  0.152.191.2     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:00:03  [E]  0.24.225.4      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:00:12  [E]  0.96.190.2      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:00:21  [E]  0.112.238.1     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:00:21  [E]  0.48.108.3      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:00:22  [E]  0.104.124.6     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:00:25  [E]  0.168.217.2     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:00:27  [E]  0.136.196.0     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:00:27  [E]  0.0.237.0       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:00:31  [E]  0.224.103.6     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:00:49  [E]  0.152.243.7     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:10  [E]  0.64.216.1      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:12  [E]  0.112.125.0     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:16  [E]  0.88.193.4      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:18  [E]  0.24.154.3      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:25  [E]  0.248.74.7      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:25  [E]  0.144.83.7      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:27  [E]  0.128.73.5      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:29  [E]  0.240.9.3       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:32  [E]  0.160.39.6      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:35  [E]  0.240.149.0     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:36  [E]  0.56.199.3      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:36  [E]  0.112.159.5     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:42  [E]  0.128.27.2      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:54  [E]  0.136.31.4      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:57  [E]  0.32.166.7      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:58  [E]  0.72.163.0      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:58  [E]  0.48.178.1      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:59  [E]  0.0.206.4       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:01:59  [E]  0.208.61.7      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:04  [E]  0.176.241.6     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:04  [E]  0.96.16.1       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:06  [E]  0.96.0.7        212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:09  [E]  0.96.16.0       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:13  [E]  0.232.156.5     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:17  [E]  0.176.123.4     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:22  [E]  0.64.173.6      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:23  [E]  0.48.105.1      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:23  [E]  0.80.160.3      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:23  [E]  0.8.247.3       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:33  [E]  0.208.19.7      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:42  [E]  0.152.200.6     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:02:59  [E]  0.40.233.2      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:03:03  [E]  0.104.150.1     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:08  [E]  0.96.109.6      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:08  [E]  0.120.111.6     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:31  [E]  0.184.207.0     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:38  [E]  0.248.126.7     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:38  [E]  0.24.226.0      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:40  [E]  0.80.206.5      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:41  [E]  0.88.251.0      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:42  [E]  0.80.11.7       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:43  [E]  0.0.64.3        212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:45  [E]  0.40.49.7       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:46  [E]  0.208.61.4      212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:48  [E]  0.160.227.1     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:50  [E]  0.0.242.3       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:56  [E]  0.64.63.7       212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 13:04:59  [E]  0.104.228.1     212.25.182.18   [PORT-ZERO]
(tcp,dp=80,sp=0) (nap-plyint-i01-nids)
 100 LINE MAXIMUM
Current thread:

Source port 0 and from a 0 network to boot? kurt (Jun 10)
- Re: Source port 0 and from a 0 network to boot? Valdis . Kletnieks (Jun 13)
- <Possible follow-ups>
- Re: Source port 0 and from a 0 network to boot? junkma1l (Jun 13)
  - Re: Source port 0 and from a 0 network to boot? kurt (Jun 13)