Re: port 0 scanning

[dagmar () estates ml org (Dagmar d'Surreal)]

On Thu, 9 Jul 1998, Lamont Granquist wrote:

> As a followup to this, I've been informed by two people now[*] that Linux
> boxes will respond to SYN|FIN with a SYN|FIN|ACK on an open port.
> Therefore this probably indicates that the SYN|FIN packets were not only
> an attempt to get past poorly designed firewalls, but probably an attempt
> to ID the system being probed as a Linux box as well.

First off, an apology for being so late in a follow-up on this subject.
Initially I was at a loss as to what exactly was going on with this port
zero buisness, but after sending some (carefully phrased) email to root at
one of the origins of the port 0 packets, I found out what exactly is
going on.  The good news is that it is most definitely a port scanner and
not a DoS attack.  The person I contacted informed me that he was doing
some (relatively) harmless statistics gathering, and was using a program
called "linuxportz 0.1" (which I have yet to find time to track down, and
is part of the reason for my delayed followup) written by someone called
crazy-b, and dated 28.02.98.  The code reportedly allows you to choose the
source port for the scan, and the default value is zero.  IMHO, it's
either a side effect or a bug that it actually uses port 0, rather than
selecting a free port automatically (it _is_ a 0.1 version, after all) but
I haven't decided which yet.  I have (since the first few emails) heard
nothing further from the person.  My guess (due to his age) is that he's
in trouble with his parents.  *chuckle* I hope they're not too hard on him
because he was at least polite enough to apologize for alarming me.

And to contradict the statement made by another poster, most port scanners
do _not_ use a source port of 0.  In fact, two things about this scanner
make it stand out like a sore thumb among normal network traffic.  The
first is that while its stealth feature may cause getsockname() to fail
and return error 107 (Transport endpoint is not connected; as a result of
the socket descriptor being built and torn down practically in the same
breath) which sufficiently hides the source of the connection from normal
daemons that interface at the transport layer, there is almost no normal
incidence in which this type of packet would be useful.  The SYN and FIN
both being set in the same packet sticks out like a sore thumb once you
know to look for it.  The second fault is that, well, port 0 is one of
those things that you also almost never ever see in normal network
traffic ...especially as an origination point.  I'll give crazy-b points
for trying a new theory, but in practice this isn't very stealthy, IMHO.