Re: Port 0 packets

From: Dave Paris (dparis_at_w3works.com)
Date: 07/23/03

  • Next message: morning_wood: "Re: New worm in Japan?" 
    Date: Wed, 23 Jul 2003 13:28:06 -0400
To: "Stuart" <secmail@patchsupplier.dyndns.org>

    Our IDS logged a TCP port 0 packet at 10:00 UTC this morning. It was
    stopped at the network border and no further port 0 traffic has been
    seen since. The source address was 216.109.116.224, which I suspect
    may be spoofed as it reverses to web60001.mail.yahoo.com.

    Kind Regards,
    -dsp

    On Tuesday, Jul 22, 2003, at 20:28 US/Eastern, Stuart wrote:

    > Hi,
    >
    > After currently reviewing firewall logs from ISA server I have come
    > across a period of where the box was hit with an aprox. average of 3 -
    > 4
    > packets per 5 minute period for 8 hours. After looking up information
    > from dshield.org
    > http://isc.incidents.org/port_details.html?port=0
    >
    > I have found that these packets can cause DoS on certain devices and
    > OS'. The effect of the packets had no effect on the box itself but the
    > packets were originating from 2 different hosts so I would assume this
    > will fall in the category of DDoS?
    > I first noticed these packets in the logs on the 21st from 11:20 GMT to
    > 22nd 7:20 GMT and they have just started again (22nd 17:40 GMT) and
    > are
    > continuing.
    >
    > Has anyone else received such packets? Or know if there is a
    > Trojan/worm
    > that these packets are sent from?
    >
    > Thanks for your help
    >
    > Stu
    >
    >
    > -----------------------------------------------------------------------
    > ----
    > -----------------------------------------------------------------------
    > -----
    >
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: morning_wood: "Re: New worm in Japan?"

    Relevant Pages

    • Re: Port 0 packets
      ... Our IDS spotted another TCP port 0 packet at 19:59pm UTC today ... TCP Options => NOP NOP CCNEW: ... > Over the last few day sort has been complaining about packets on TCP 0 ...
      (Incidents)
    • RE: [fw-wiz] port 27015
      ... Maybe someone setup a half-life server over the holidays? ... per second on TCP port 27015. ...
      (Firewall-Wizards)
    • RE: Port 0 packets
      ... I wonder why I'm a magnet to them then:s ... Subject: Port 0 packets ... Our IDS logged a TCP port 0 packet at 10:00 UTC this morning. ...
      (Incidents)