Security Incidents mailing list archives
Re: Source port 0 and from a 0 network to boot?
From: kurt <kurta59 () gmail com>
Date: Mon, 13 Jun 2005 11:29:08 -0500
0 may be a legit first octet but more realistically this PCs address was actually 10.153.189.110. So the source addresses we knew where spoofed. I'm wondering if this looks like any known bot/trojan/whatever? this was a definate attempt to DoS the destination, too bad it DoS'd a local network. it may have been the writer of this bot/trojan/whatever had assumed the exploited PC would be closer to a perimeter (ie: home broadband) and not deep within a network? the box was taken off-line and by now i'm guessing it's been rebuilt <bummer> forensics? probably not...... oh well. On 11 Jun 2005 19:08:31 -0000, junkma1l () cox net <junkma1l () cox net> wrote:
The destination website advises they're experiencing 'server problems'. I would have to guess it's a trojan or botnet DDoS/SYN flood attack. As far as the port 0 traffic, a quote from an old Neohapisis archive "Using TCP port 0 is a common tactic to avoid some badly written packet filters.... Some net admins fail to realize that there is a port 0, thinking that the lowest port number is 1, and thus don't account for it when writing firewall rules. An attacker gains the advantage of possibly bypassing firewall rules, or badly written intrusion sensors. It should also be noted that very, very, old versions of DNS were done on port 0, but that wasn't done using TCP." Probably just disguising the attacking host (though not very well) to slow down the filtering/blocking of attackers.
Current thread:
- Source port 0 and from a 0 network to boot? kurt (Jun 10)
- Re: Source port 0 and from a 0 network to boot? Valdis . Kletnieks (Jun 13)
- <Possible follow-ups>
- Re: Source port 0 and from a 0 network to boot? junkma1l (Jun 13)
- Re: Source port 0 and from a 0 network to boot? kurt (Jun 13)