Re: Source port 0 and from a 0 network to boot?
From: kurt (kurta59_at_gmail.com)
Date: Mon, 13 Jun 2005 11:29:08 -0500 To: firstname.lastname@example.org
0 may be a legit first octet but more realistically this PCs address
was actually 10.153.189.110. So the source addresses we knew where
spoofed. I'm wondering if this looks like any known
this was a definate attempt to DoS the destination, too bad it DoS'd a
local network. it may have been the writer of this
bot/trojan/whatever had assumed the exploited PC would be closer to a
perimeter (ie: home broadband) and not deep within a network?
the box was taken off-line and by now i'm guessing it's been rebuilt <bummer>
forensics? probably not...... oh well.
On 11 Jun 2005 19:08:31 -0000, email@example.com <firstname.lastname@example.org> wrote:
> The destination website advises they're experiencing 'server problems'. I would have to guess it's a trojan or botnet DDoS/SYN flood attack.
> As far as the port 0 traffic, a quote from an old Neohapisis archive "Using TCP port 0 is a common tactic to avoid some badly written packet
> filters.... Some net admins fail to realize that there is a port 0,
> thinking that the lowest port number is 1, and thus don't account for it
> when writing firewall rules.
> An attacker gains the advantage of possibly bypassing firewall rules, or
> badly written intrusion sensors.
> It should also be noted that very, very, old versions of DNS were done on
> port 0, but that wasn't done using TCP."
> Probably just disguising the attacking host (though not very well) to slow down the filtering/blocking of attackers.