Re: Source Port 0 Host Sweep

[GuidoZ <uberguidoz () gmail com>]

Hello JM.

I'm not sure if this applies in your case, however I've seen ACK
sweeps before that originated from what was reported as port 0,
although it was really just a dynamically assigned port (1024+). I'm
not familiar with your IPS, so I can't say how it gathers data.

As you likely know, many applications don't care what port they are
provided for a network connection, so they "ask" the OS to assign the
"next available port". In point of fact, they ask for port 0, but are
assigned one starting with port 1024. It's possible that the IPS is
picking up this "next available port"... though it seems unlikely.
It's about all that popped into my head.

The only other thing I can think of is what port 0 is normally used
for - to help determine the operating system. However, when used in
this way, the destination IP address will be 0.0.0.0 and the ACK bit
will be set. Are the scans determined to be coming from different IP#s
for sure? It might be a wise idea to do some packet sniffing to see
what data is being sent, if any, besides the ACK.

Best of luck.

--
Peace. ~G


On Fri, 7 Jan 2005 10:32:41 -0600, JM <ubahmapk () gmail com> wrote:
> I am receiving some alerts on our IntruShield IPS of a few internal
> hosts "TCP: ACK Host Sweep"ing the network.  All sweeps have dest port
> 80 (and more interestingly) source port 0.
>
> I'm familiar with Host Sweeps and port 80 and know that port 0 is a
> valid port, but I've never seen anything actually _use_ it.
>
> I have googled and searched all the archives I could find and haven't
> seen anything describing this behaviour.
>
> I want to send our HW techs to the machines (all windows PCs) and have
> them cleaned, but I can't even tell them what to look for.
>
> Does anyone know of any app/malware/virus that causes this sort of Host Sweep?
>
> JM