Hello, It may be noteworthy that nmap recently (March, 2003) included port 0 support in nmap-3.20. Perhaps these are part of port scanning or other probing? Additionally, Back Orifice 2000's default tcp port is port 0 as well. (http://vil.nai.com/vil/content/v_10229.htm) Perhaps they are probing for this? I would imagine unless you run one of the _few_ devices affected by crashing on port 0 packets, you are not the victim of a DoS. -Russell P.S. are they udp or tcp or otherwise? On Wed, 23 Jul 2003, Stuart wrote: > Hi, > > After currently reviewing firewall logs from ISA server I have come > across a period of where the box was hit with an aprox. average of 3 - 4 > packets per 5 minute period for 8 hours. After looking up information > from dshield.org > http://isc.incidents.org/port_details.html?port=0 > > I have found that these packets can cause DoS on certain devices and > OS'. The effect of the packets had no effect on the box itself but the > packets were originating from 2 different hosts so I would assume this > will fall in the category of DDoS? > I first noticed these packets in the logs on the 21st from 11:20 GMT to > 22nd 7:20 GMT and they have just started again (22nd 17:40 GMT) and are > continuing. > > Has anyone else received such packets? Or know if there is a Trojan/worm > that these packets are sent from? > > Thanks for your help > > Stu > > > --------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 10:54:23 PDT