Re: Source port 0 and from a 0 network to boot?

From: kurt (kurta59_at_gmail.com)
Date: 06/13/05

  • Next message: Mariusz Burdach: "Digital forensics of the physical memory" 
    Date: Mon, 13 Jun 2005 11:29:08 -0500
To: incidents@securityfocus.com

    0 may be a legit first octet but more realistically this PCs address
    was actually 10.153.189.110. So the source addresses we knew where
    spoofed. I'm wondering if this looks like any known
    bot/trojan/whatever?

    this was a definate attempt to DoS the destination, too bad it DoS'd a
    local network. it may have been the writer of this
    bot/trojan/whatever had assumed the exploited PC would be closer to a
    perimeter (ie: home broadband) and not deep within a network?

    the box was taken off-line and by now i'm guessing it's been rebuilt <bummer>

    forensics? probably not...... oh well.

    On 11 Jun 2005 19:08:31 -0000, junkma1l@cox.net <junkma1l@cox.net> wrote:
    > The destination website advises they're experiencing 'server problems'. I would have to guess it's a trojan or botnet DDoS/SYN flood attack.
    >
    > As far as the port 0 traffic, a quote from an old Neohapisis archive "Using TCP port 0 is a common tactic to avoid some badly written packet
    > filters.... Some net admins fail to realize that there is a port 0,
    > thinking that the lowest port number is 1, and thus don't account for it
    > when writing firewall rules.
    >
    > An attacker gains the advantage of possibly bypassing firewall rules, or
    > badly written intrusion sensors.
    >
    > It should also be noted that very, very, old versions of DNS were done on
    > port 0, but that wasn't done using TCP."
    >
    > Probably just disguising the attacking host (though not very well) to slow down the filtering/blocking of attackers.
    >

  • Next message: Mariusz Burdach: "Digital forensics of the physical memory"

    Relevant Pages

    • Re: Live so close !!!
      ... such as xbox's where you can safely drop the security without fear of an attack (i.e. you can't hack into a 360 by dropping a trojan on it as you can a pc). ... is NOT on the local network and cannot be allowed access to the local ...
      (uk.games.video.xbox)
    • Re: Live so close !!!
      ... such as xbox's where you can safely drop the security without fear of an attack (i.e. you can't hack into a 360 by dropping a trojan on it as you can a pc). ... is NOT on the local network and cannot be allowed access to the local ...
      (uk.games.video.xbox)
    • Re: Live so close !!!
      ... such as xbox's where you can safely drop the security without fear of an attack (i.e. you can't hack into a 360 by dropping a trojan on it as you can a pc). ... is NOT on the local network and cannot be allowed access to the local ...
      (uk.games.video.xbox)
    • Re: Source port 0 and from a 0 network to boot?
      ... I would have to guess it's a trojan or botnet DDoS/SYN flood attack. ... Some net admins fail to realize that there is a port 0, ... when writing firewall rules. ...
      (Incidents)