Re: Port 0 oddities

From: Kevin Day (toastyat_private)
Date: Thu Jun 18 1998 - 13:27:54 PDT

Next message: Bela Lubkin: "Re: Security problems on SCO's lp subsystem"

Previous message: Pete Ashdown: "Solaris 2.5.1 patch not effective?"
Maybe in reply to: Dagmar d'Surreal: "Port 0 oddities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> After reading the inital post on Bugtraq concerning DoS attacks involving
> port zero (and being basically a paretty paranoid person), I took a chance
> that it was not a stack-disabling attack, and dropped in some ip
> firewalling rules (linux, stable kernel) to block and log connections from
> any machine using source port 0, or connections from any machine, destined
> to port 0 here.  As bizarre as it sounds, apparently someone IS up to
> something, since I've now logged this many blocked connections thus far.
> I'm posting this because the inital post made the statement that these
> incidences involved imapd (port 143)  and as we can see here, it's not
> limited to just that one service.  I'd love sit and wait with a packet
> dumper to have more information before speaking, but I'm about to go to
> San Francisco for several days, and simply don't have the time.  :/
> Possibly this confirmation of the rumor will get more people interested in
> hunting down whatever the heck this is...
>

I'm seeing 200-5000 packets a day, either with the source 0 or the dest 0.
They're usually source 0, then a well-known port #... (sendmail, named,
whatever). Nothing has crashed yet, and I haven't seen any exploits, or any
trace of an exploit yet. At first I just logged the packets, now i'm
dropping them, since apparently people *think* they can crash something with
it.

Also, for those interested in what attempted exploits are being used most
often...

In a 7 day period:

3171 packets with a source address of one of my class C's.
12 packets from the 10.x.x.x reserved ranges
732 packets from 172. reserved ranges
56 packets from 192.168.x.x reserved ranged
18 packets with a destination address of x.x.x.255
3 packets with a destination address of x.x.x.0
3095 packets to port 139, when there's no reason for anyone to connect
there.
4390 packets with a source port 0
204 packets with a destination port 0
431 packets to port 111, when there's not reason for anyone to connect
there.


I'm leaving out other stuff i'm filtering, so I don't give the entire world
my list of filters, but it's interesting...

Kevin

Next message: Bela Lubkin: "Re: Security problems on SCO's lp subsystem"
Previous message: Pete Ashdown: "Solaris 2.5.1 patch not effective?"
Maybe in reply to: Dagmar d'Surreal: "Port 0 oddities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:57 PDT