Security Incidents mailing list archives
RE: Strange Port 0 Traffic
From: Andre Ludwig <ALudwig () Calfingroup com>
Date: Fri, 14 Nov 2003 12:58:36 -0800
Port 0 has been used to fingerprint OS's remotely in a few tools. http://www.networkpenetration.com/port0.html Andre Ludwig, CISSP -----Original Message----- From: Josh.Berry () compucom com [mailto:Josh.Berry () compucom com] Sent: Thursday, November 13, 2003 2:41 PM To: incidents () securityfocus com Subject: Strange Port 0 Traffic I am seeing a lot of traffic lately coming from different external sources using UDP originating from a source port of 10000 and coming to my various firewall addresses with a destination port of 0. I ran tcpdump traces for this traffic both internally and externally for about 2 weeks. The traces showed no internal servers/desktops/devices making these connections, only external machines sending these packets to the firewalls. The data in the packet is gibberish; looks like it might be encrypted. Is anyone else seeing this kind of traffic? Attached is a sanitized trace of some of these packets. Josh Berry Information Security Group 972-856-5402 --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- Strange Port 0 Traffic Josh.Berry (Nov 14)
- Message not available
- Re: Strange Port 0 Traffic Francesca C Smith (Nov 14)
- Message not available
- <Possible follow-ups>
- RE: Strange Port 0 Traffic Andre Ludwig (Nov 17)
- RE: Strange Port 0 Traffic Jesus Salvador (Nov 17)