Re: Source port 0 and from a 0 network to boot?

junkma1l_at_cox.net
Date: 06/11/05

  • Next message: kurt: "Re: Source port 0 and from a 0 network to boot?"
    Date: 11 Jun 2005 19:08:31 -0000
    To: incidents@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) The destination website advises they're experiencing 'server problems'. I would have to guess it's a trojan or botnet DDoS/SYN flood attack.

    As far as the port 0 traffic, a quote from an old Neohapisis archive "Using TCP port 0 is a common tactic to avoid some badly written packet
    filters.... Some net admins fail to realize that there is a port 0,
    thinking that the lowest port number is 1, and thus don't account for it
    when writing firewall rules.

    An attacker gains the advantage of possibly bypassing firewall rules, or
    badly written intrusion sensors.

    It should also be noted that very, very, old versions of DNS were done on
    port 0, but that wasn't done using TCP."

    Probably just disguising the attacking host (though not very well) to slow down the filtering/blocking of attackers.


  • Next message: kurt: "Re: Source port 0 and from a 0 network to boot?"

    Relevant Pages

    • RE: Strange loopback in firefox.
      ... described as heavy attack from outside IP addresses. ... either using the Microsoft_DS port or epmap port to connect). ... For example a connection from port 3014 to 3015 and the next ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Re: Security problem
      ... simply to use a non-standard port. ... names and passwords, on large ranges of IP addresses. ... order to perform successful brute-force attack and that's ludicrous. ... DROP incoming packets for other ports (and what internet-facing server ...
      (comp.os.linux.development.apps)
    • FW: Legal? Road Runner proactive scanning.[Scanned]
      ... You consider a port scan to be an attack? ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • Re: SSH server under attack...
      ... It's highly possible that even though you changed the port, an automated script discovered the new port by probing the ports and matching version numbers, ie: ... the new machine to attack me is 200.55.192.29. ... Failed password for invalid user admin from::ffff:200.55.192.29 port ...
      (Security-Basics)
    • SSH server under attack...
      ... OK...within a few hours the server was being attacked again on port 2222. ... The router/firewall logs dont show any dropped packets sent to port 22 so he changed the port of the attack script. ... I scanned the machine and found that it is hosting a webserver Server at www.springs.cl) among other services. ... Invalid user admin from::ffff:200.55.192.29 Failed password for invalid user admin from::ffff:200.55.192.29 port ...
      (Security-Basics)