Re: TCP port 0

[Doug Pearson <dodpears () INDIANA EDU>]

At 10:05 AM 11/24/2004 -0600, John Kristoff wrote:
> On Wed, 24 Nov 2004 10:21:37 -0500
> Bernie Timberman <BTIMBERMAN () DEPAUW EDU> wrote:
>
> > We have been seeing a lot of traffic lately on tcp port 0. Anyone else
> > seeing traffic on that port and is anyone blockong that port?
>
> Depending on how you are 'seeing' the traffic, much of it may only be
> fragments of a larger TCP packet using ports not know to that fragment.
> Data retrieved via network flows (e.g. Netflow) is typically reported
> this way.
>
> I do not know of any legitimate use of TCP port 0, but port 0 is widely
> used in UDP-based applications.  Particularly the source port for things
> like streaming media.  UDP source port 0 is specifically legitimate per
> RFC 768 so be careful what you filter.


I ran a quick check of a darknet, and saw 12 hits on TCP/0 out of 9.17 million total hits, and those TCP/0 hits 
appeared to be backscatter from source-spoofed DOS activity rather than true scans at TCP/0.

Scanning TCP/0 can be used to fingerprint systems[1].

I'd be interested in off-list detail about the observations.


Doug Pearson
Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630, ren-isac () iu edu
http://www.ren-isac.net

[1] http://www.networkpenetration.com/port0.html


-o0o-

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.