> After reading the inital post on Bugtraq concerning DoS attacks involving > port zero (and being basically a paretty paranoid person), I took a chance > that it was not a stack-disabling attack, and dropped in some ip > firewalling rules (linux, stable kernel) to block and log connections from > any machine using source port 0, or connections from any machine, destined > to port 0 here. As bizarre as it sounds, apparently someone IS up to > something, since I've now logged this many blocked connections thus far. > I'm posting this because the inital post made the statement that these > incidences involved imapd (port 143) and as we can see here, it's not > limited to just that one service. I'd love sit and wait with a packet > dumper to have more information before speaking, but I'm about to go to > San Francisco for several days, and simply don't have the time. :/ > Possibly this confirmation of the rumor will get more people interested in > hunting down whatever the heck this is... > I'm seeing 200-5000 packets a day, either with the source 0 or the dest 0. They're usually source 0, then a well-known port #... (sendmail, named, whatever). Nothing has crashed yet, and I haven't seen any exploits, or any trace of an exploit yet. At first I just logged the packets, now i'm dropping them, since apparently people *think* they can crash something with it. Also, for those interested in what attempted exploits are being used most often... In a 7 day period: 3171 packets with a source address of one of my class C's. 12 packets from the 10.x.x.x reserved ranges 732 packets from 172. reserved ranges 56 packets from 192.168.x.x reserved ranged 18 packets with a destination address of x.x.x.255 3 packets with a destination address of x.x.x.0 3095 packets to port 139, when there's no reason for anyone to connect there. 4390 packets with a source port 0 204 packets with a destination port 0 431 packets to port 111, when there's not reason for anyone to connect there. I'm leaving out other stuff i'm filtering, so I don't give the entire world my list of filters, but it's interesting... Kevin
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:57 PDT