RE: Strange Port 0 Traffic

From: Andre Ludwig (ALudwig_at_Calfingroup.com)
Date: 11/14/03

  • Next message: trappers: "idsearch.com and GoogleMs.dll"
    To: "'Josh.Berry@compucom.com'" <Josh.Berry@compucom.com>
    Date: Fri, 14 Nov 2003 12:58:36 -0800
    
    

    Port 0 has been used to fingerprint OS's remotely in a few tools.

    http://www.networkpenetration.com/port0.html

    Andre Ludwig, CISSP

    -----Original Message-----
    From: Josh.Berry@compucom.com [mailto:Josh.Berry@compucom.com]
    Sent: Thursday, November 13, 2003 2:41 PM
    To: incidents@securityfocus.com
    Subject: Strange Port 0 Traffic

    I am seeing a lot of traffic lately coming from different external
    sources using UDP originating from a source port of 10000 and coming to
    my various firewall addresses with a destination port of 0.

    I ran tcpdump traces for this traffic both internally and externally for
    about 2 weeks. The traces showed no internal servers/desktops/devices
    making these connections, only external machines sending these packets
    to the firewalls.

    The data in the packet is gibberish; looks like it might be encrypted.
    Is anyone else seeing this kind of traffic?

    Attached is a sanitized trace of some of these packets.

    Josh Berry
    Information Security Group
    972-856-5402

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------


  • Next message: trappers: "idsearch.com and GoogleMs.dll"