Russell, thanks for the info They are TCP, I usually receive them in 3/4 packet blocks from the one host, then from the other, although another host has now decided to join in. After using net monitor and ethereal I managed to get a capture of the packets from one of the hosts. They are identical packets from the same source port and received 4 of them in different time intervals (packet 1, packet 2 after 2 seconds, 3 after 7 and the 3rd after 19) (The packet capture http://patchsupplier.dyndns.org/capture/port0.cap) One of the hosts has now stopped sending me the packets but another source has started (80.128.114.205). I have no idea why this box is receiving these packets but I shall keep an eye on them to see what happens. Thanks for you help Stu -----Original Message----- From: Russell Harding [mailto:hardingrat_private] Sent: 23 July 2003 19:27 To: Stuart Cc: incidentsat_private Subject: Re: Port 0 packets Hello, It may be noteworthy that nmap recently (March, 2003) included port 0 support in nmap-3.20. Perhaps these are part of port scanning or other probing? Additionally, Back Orifice 2000's default tcp port is port 0 as well. (http://vil.nai.com/vil/content/v_10229.htm) Perhaps they are probing for this? I would imagine unless you run one of the _few_ devices affected by crashing on port 0 packets, you are not the victim of a DoS. -Russell P.S. are they udp or tcp or otherwise? On Wed, 23 Jul 2003, Stuart wrote: > Hi, > > After currently reviewing firewall logs from ISA server I have come > across a period of where the box was hit with an aprox. average of 3 - 4 > packets per 5 minute period for 8 hours. After looking up information > from dshield.org > http://isc.incidents.org/port_details.html?port=0 > > I have found that these packets can cause DoS on certain devices and > OS'. The effect of the packets had no effect on the box itself but the > packets were originating from 2 different hosts so I would assume this > will fall in the category of DDoS? > I first noticed these packets in the logs on the 21st from 11:20 GMT to > 22nd 7:20 GMT and they have just started again (22nd 17:40 GMT) and are > continuing. > > Has anyone else received such packets? Or know if there is a Trojan/worm > that these packets are sent from? > > Thanks for your help > > Stu > > > ------------------------------------------------------------------------ --- > ------------------------------------------------------------------------ ---- > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 10:57:00 PDT