RE: Strange Port 0 Traffic

From: Andre Ludwig (ALudwig_at_Calfingroup.com)
Date: 11/14/03

  • Next message: trappers: "idsearch.com and GoogleMs.dll"
    To: "'Josh.Berry@compucom.com'" <Josh.Berry@compucom.com>
    Date: Fri, 14 Nov 2003 12:58:36 -0800
    
    

    Port 0 has been used to fingerprint OS's remotely in a few tools.

    http://www.networkpenetration.com/port0.html

    Andre Ludwig, CISSP

    -----Original Message-----
    From: Josh.Berry@compucom.com [mailto:Josh.Berry@compucom.com]
    Sent: Thursday, November 13, 2003 2:41 PM
    To: incidents@securityfocus.com
    Subject: Strange Port 0 Traffic

    I am seeing a lot of traffic lately coming from different external
    sources using UDP originating from a source port of 10000 and coming to
    my various firewall addresses with a destination port of 0.

    I ran tcpdump traces for this traffic both internally and externally for
    about 2 weeks. The traces showed no internal servers/desktops/devices
    making these connections, only external machines sending these packets
    to the firewalls.

    The data in the packet is gibberish; looks like it might be encrypted.
    Is anyone else seeing this kind of traffic?

    Attached is a sanitized trace of some of these packets.

    Josh Berry
    Information Security Group
    972-856-5402

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------


  • Next message: trappers: "idsearch.com and GoogleMs.dll"

    Relevant Pages

    • Re: [opensuse] SuseFirewall IPv4 vs IPv6
      ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
      (SuSE)
    • Re: What is going on with my Dialup?
      ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
      (comp.os.linux.networking)
    • Re: OT .. Road Warrior communications question
      ... The data on the Internet is sent in little packets. ... The packets addressed to port 80 ... Likewise, at the mail server receiving the packets, it knows the return ... Why would e-mail work on the web but not from your e-mail software? ...
      (alt.guitar.bass)
    • Re: Logs: Many hits with source port of 80
      ... The hits from source port 80 to dest port 37852 are IMHO almost ... you should probably see a couple other packets - perhaps ... packets if either you send the load balancer a packet, ... >>I have seen similar hits for the past three months. ...
      (Incidents)
    • Re: Error 720 connecting to server via VPN
      ... By default the router's firewall is configured to drop ICMP packets ... Select WAN Setup> Advanced> Respond to Ping on Internet Port. ... server and the Internet allow GRE packets. ... routers on the user's network are also configured to allow GRE packets. ...
      (microsoft.public.windows.server.sbs)