Hi, > Over the last few day sort has been complaining about packets on TCP 0 > to an address in our network. I finally got to investigate it yesterday. > > The packets were coming from two IP addresses in China and were tcp with > RST+ACK flags set. I then used our argus <www.qosient.com> logs to [ snip ] For the past couple of months we've gotten the occasional complaint / report of these packets as well. So far they've come down to one of four categories: 1) Proxy scanners - Typically src port 0, but have been scanning for 0,25,1080,3128,8080, etc. Why src 0? Could be several reasons, certainly one guess would be an assumption that poorly configured firewalls may block inbound packets by src 1-65535 or some such. 2) Something p2p related - overnet / edonkey / kazaa (and so on) clients that every now and again send out a packet to tcp port 0 or receive one destined to it. No one who has complained about it has captured the actual packet, but the use of these clients was definitely connected. My guess is that it's related to the next category... 3) TCP Ping'ing for network connectivity / performance - since some providers filter icmp, we've had people use a tcp 'ping' to port zero to test various aspects of reachability and latency. 4) Not yet 100% sure - probably like others in this thread, have a few guesses, but haven't found a 100% clear explanation. Scott --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 12:56:53 PDT