[6998] in bugtraq
Re: Port 0 oddities
daemon@ATHENA.MIT.EDU (Kevin Day)
Fri Jun 19 18:34:57 1998
Date: Thu, 18 Jun 1998 15:27:54 -0500
Reply-To: Kevin Day <toasty@HOME.DRAGONDATA.COM>
From: Kevin Day <toasty@HOME.DRAGONDATA.COM>
X-To: dagmar@estates.ml.org
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980617150946.9548I-100000@think.kung.foo> from
Dagmar d'Surreal at "Jun 17, 98 03:11:05 pm"
> After reading the inital post on Bugtraq concerning DoS attacks involving
> port zero (and being basically a paretty paranoid person), I took a chance
> that it was not a stack-disabling attack, and dropped in some ip
> firewalling rules (linux, stable kernel) to block and log connections from
> any machine using source port 0, or connections from any machine, destined
> to port 0 here. As bizarre as it sounds, apparently someone IS up to
> something, since I've now logged this many blocked connections thus far.
> I'm posting this because the inital post made the statement that these
> incidences involved imapd (port 143) and as we can see here, it's not
> limited to just that one service. I'd love sit and wait with a packet
> dumper to have more information before speaking, but I'm about to go to
> San Francisco for several days, and simply don't have the time. :/
> Possibly this confirmation of the rumor will get more people interested in
> hunting down whatever the heck this is...
>
I'm seeing 200-5000 packets a day, either with the source 0 or the dest 0.
They're usually source 0, then a well-known port #... (sendmail, named,
whatever). Nothing has crashed yet, and I haven't seen any exploits, or any
trace of an exploit yet. At first I just logged the packets, now i'm
dropping them, since apparently people *think* they can crash something with
it.
Also, for those interested in what attempted exploits are being used most
often...
In a 7 day period:
3171 packets with a source address of one of my class C's.
12 packets from the 10.x.x.x reserved ranges
732 packets from 172. reserved ranges
56 packets from 192.168.x.x reserved ranged
18 packets with a destination address of x.x.x.255
3 packets with a destination address of x.x.x.0
3095 packets to port 139, when there's no reason for anyone to connect
there.
4390 packets with a source port 0
204 packets with a destination port 0
431 packets to port 111, when there's not reason for anyone to connect
there.
I'm leaving out other stuff i'm filtering, so I don't give the entire world
my list of filters, but it's interesting...
Kevin
