RE: Strange Port 0 Traffic

[Andre Ludwig <ALudwig () Calfingroup com>]

Port 0 has been used to fingerprint OS's remotely in a few tools. 

http://www.networkpenetration.com/port0.html

Andre Ludwig, CISSP

-----Original Message-----
From: Josh.Berry () compucom com [mailto:Josh.Berry () compucom com]
Sent: Thursday, November 13, 2003 2:41 PM
To: incidents () securityfocus com
Subject: Strange Port 0 Traffic


I am seeing a lot of traffic lately coming from different external
sources using UDP originating from a source port of 10000 and coming to
my various firewall addresses with a destination port of 0.

I ran tcpdump traces for this traffic both internally and externally for
about 2 weeks.  The traces showed no internal servers/desktops/devices
making these connections, only external machines sending these packets
to the firewalls.  

The data in the packet is gibberish; looks like it might be encrypted.
Is anyone else seeing this kind of traffic?

Attached is a sanitized trace of some of these packets.

Josh Berry
Information Security Group
972-856-5402


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------