Port 0 oddities

From: Dagmar d'Surreal (dagmarat_private)
Date: Wed Jun 17 1998 - 13:11:05 PDT

Next message: SGI Security Coordinator: "IRIX BIND DNS named(1M) Vulnerabilities"

Previous message: Rob Kouwenberg: "Re : Bind 4.9.6 ~ Current | X86 Exploit"
Next in thread: Kevin Day: "Re: Port 0 oddities"
Reply: Kevin Day: "Re: Port 0 oddities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

After reading the inital post on Bugtraq concerning DoS attacks involving
port zero (and being basically a paretty paranoid person), I took a chance
that it was not a stack-disabling attack, and dropped in some ip
firewalling rules (linux, stable kernel) to block and log connections from
any machine using source port 0, or connections from any machine, destined
to port 0 here.  As bizarre as it sounds, apparently someone IS up to
something, since I've now logged this many blocked connections thus far.
I'm posting this because the inital post made the statement that these
incidences involved imapd (port 143)  and as we can see here, it's not
limited to just that one service.  I'd love sit and wait with a packet
dumper to have more information before speaking, but I'm about to go to
San Francisco for several days, and simply don't have the time.  :/
Possibly this confirmation of the rumor will get more people interested in
hunting down whatever the heck this is...

Jun 10 00:21:04 think kernel: IP fw-in deny eth1 TCP 208.201.47.80:0 think.kung.foo:143 L=40 S=0x00 I=37635 F=0x0000 T=233
Jun 10 00:21:16 think kernel: IP fw-in deny eth1 TCP 208.201.47.80:0 think.kung.foo:53 L=40 S=0x00 I=37635 F=0x0000 T=233
Jun 10 00:21:27 think kernel: IP fw-in deny eth1 TCP 208.201.47.80:0 think.kung.foo:23 L=40 S=0x00 I=37635 F=0x0000 T=233
Jun 10 00:37:36 think kernel: IP fw-in deny eth1 TCP 208.201.47.80:0 think.kung.foo:8010 L=40 S=0x00 I=37635 F=0x0000 T=233
Jun 11 23:12:57 think kernel: IP fw-in deny eth1 TCP 208.201.47.80:0 think.kung.foo:53 L=40 S=0x00 I=62720 F=0x0000 T=234
Jun 15 17:56:53 think kernel: IP fw-in deny eth1 TCP 205.182.88.180:0 think.kung.foo:53 L=40 S=0x00 I=26881 F=0x0000 T=232
Jun 16 05:00:45 think kernel: IP fw-in deny eth1 TCP 134.50.8.42:0 think.kung.foo:53 L=40 S=0x00 I=11268 F=0x0000 T=236
Jun 17 00:10:06 think kernel: IP fw-in deny eth1 TCP 24.112.51.71:0 think.kung.foo:23 L=40 S=0x00 I=30723 F=0x0000 T=239

think.kung.foo is the internal name of the machine, and the appearance of the
name are the results of some sanitizing code in my log filters.  Don't anyone
panic.  ;)

Next message: SGI Security Coordinator: "IRIX BIND DNS named(1M) Vulnerabilities"
Previous message: Rob Kouwenberg: "Re : Bind 4.9.6 ~ Current | X86 Exploit"
Next in thread: Kevin Day: "Re: Port 0 oddities"
Reply: Kevin Day: "Re: Port 0 oddities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:39 PDT