More Bad Port 0 Traffic

Published: 2013-11-25
Last Updated: 2013-11-25 20:57:57 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Thanks to an alert reader for sending us a few odd packets with "port 0" traffic. In this case, we got full packet captures, and the packets just don't make sense.

The TTL of the packet changes with source IP address, making spoofing less likely. The TCP headers overall don't make much sense. There are packets with a TCP header length of 0, or packets with odd flag combinations. This could be an attempt to fingerprint, but even compared to nmap, this is very noisy. The packets arrive rather slow, far from DDoS levels.

Here are a couple samples (I anonymised the target IP). Any hints as to what could cause this are welcome. 

IP truncated-ip - 4 bytes missing! (tos 0x0, ttl 52, id 766, offset 0, flags [DF], proto TCP (6), length 88)
    94.102.63.55.0 > 10.10.10.10.0:  tcp 68 [bad hdr length 0 - too short, < 20]

0x0000:  4500 0058 02fe 4000 3406 91f1 5e66 3f37
0x0010:  0a0a 0a0a 0000 0000 55c3 7203 0000 0000
0x0020:  0c00 0050 418b 0000 6e82 ef01 0000 0000
0x0030:  25b0 ce4b 0000 0000 a002 3cb0 9a8b 0000
0x0040:  0204 0f2c 0402 080a 0005 272d 0005 272d
0x0050:  0103 0300

IP truncated-ip - 4 bytes missing! (tos 0x10, ttl 47, id 28629, offset 0, flags [DF], proto TCP (6), length 60)
    46.137.48.107.0 > 10.10.10.10.0: Flags [P.UW] [bad hdr length 56 - too long, > 40]
0x0000:  4510 003c 6fd5 4000 2f06 68cf 2e89 306b
0x0010:  0a0a 0a0a 0000 0000 51a9 89b8 0000 0000
0x0020:  e6b8 0050 b315 0000 ec67 0d66 0000 0000
0x0030:  0000 0000 0000 0000

IP truncated-ip - 4 bytes missing! (tos 0x80, ttl 51, id 45284, offset 0, flags [DF], proto TCP (6), length 60)
    186.202.179.99.0 > 10.10.10.10.0: Flags [SUW], seq 1603085765, win 27016, urg 0, options [[bad opt]

0x0000:  4580 003c b0e4 4000 3306 1416 baca b363
0x0010:  0a0a 0a0a 0000 0000 5f8d 25c5 0000 0000
0x0020:  aba2 6988 23fa 0000 f271 af2a 0000 0000
0x0030:  0000 0000 0000 0000

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: port 0
6 comment(s)

Comments

I also just received three of them..

123.151.42.61.12206 > xxx.xxx.xxx.xxx 0: S 116228792:116228792(0) win 8192 (DF) [tos 0x20]
18:24:52.534712 123.151.42.61.12205 > xxx.xxx.xxx.xxx.0: S116228792:116228792(0) win 8192 (DF) [tos 0x20]

18:24:53.380655 123.151.42.61.12202 > xxx.xxx.xxx.xxx.0: S 116228792:116228792(0) win 8192 (DF) [tos 0x20]
This is what I noticed on an interface that is a wan router to a small subnet(28). Destination addresses have been changed.

16:24:08.808265 IP 54.232.86.151.0 > xxx.xxx.xxx.xx.0: tcp 32 [bad hdr length 8 - too short, < 20]
0x0000: 4530 003c 44df 4000 2c06 2ad9 36e8 5697 E0.<D.@.,.*.6.V.
0x0010: c7f1 8963 0000 0000 d80f ac6a 0000 0000 ...c.......j....
0x0020: 25a0 16b8 4df5 0000 147e bc00 0000 0000 %...M....~......
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x

16:29:10.468867 IP 182.160.137.90.0 > xxx.xxx.xxx.xx.0: Flags [FRP.UW], seq 3624905834:3624905842, ack 0, win 5816, urg 0, options [[bad opt]
0x0000: 4510 003c e578 4000 3506 cee3 b6a0 895a E..<.x@.5......Z
0x0010: c7f1 8963 0000 0000 d80f ac6a 0000 0000 ...c.......j....
0x0020: 86bd 16b8 1b42 0000 e99c 2a37 0000 0000 .....B....*7....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x

21:23:02.169107 IP 182.160.137.90.0 > xxx.xxx.xxx.xx.0: Flags [FRP.UW], seq 1211611695:1211611703, ack 0, win 80, urg 0, options [[bad opt]
0x0000: 4510 003c e578 4000 3506 cee3 b6a0 895a E..<.x@.5......Z
0x0010: c7f1 8963 0000 0000 4837 ba2f 0000 0000 ...c....H7./....
0x0020: 86bd 0050 b3bd 0000 e99c 2a37 0000 0000 ...P......*7....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x

21:25:23.827970 IP 111.8.17.50.0 > xxx.xxx.xxx.xx.0: Flags [SRUE] [bad hdr length 44 - too long, > 40]
0x0000: 4500 003c 9b77 4000 3306 dab5 6f08 1132 E..<.w@.3...o..2
0x0010: c7f1 8963 0000 0000 4837 ba2f 0000 0000 ...c....H7./....
0x0020: b266 0050 4274 0000 c5c7 2e64 0000 0000 .f.PBt.....d....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x

21:29:06.864855 IP 166.78.145.4.0 > xxx.xxx.xxx.xx.0: tcp 28 [bad hdr length 12 - too short, < 20]
0x0000: 4510 003c 015b 4000 3706 b9a9 a64e 9104 E..<.[@.7....N..
0x0010: c7f1 8963 0000 0000 4837 ba2f 0000 0000 ...c....H7./....
0x0020: 3a55 0050 0000 0000 b43f a744 0000 0000 :U.P.....?.D....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x


The single destination address(of a /28) that is receiving these port 0 requests, has very little traffic and is used as an http origin server for a couple of reverse proxies. The addresses that the port 0 requests are coming from are none that I used or have association with, so I am also a bit curious as to what is making this chatter.
Here are my findings (for the last day/24h) from a single IPv4 address:

6x from 123.151.42.61, first Nov 26 00:56:07, last Nov 26 22:45:32, type tcp len 20 40 -S IN

5x from 166.78.145.4, first Nov 26 01:22:30, last Nov 26 03:56:59, type tcp len 20 60 -ARSFPC IN bad

6x from 173.203.222.177 (173-203-222-177.static.cloud-ips.com), first Nov 26 01:23:43, last Nov 26 19:41:44, type tcp len 20 60 -SFEC IN bad

In all above cases the dstport (where dstip was the above single IPv4 address) was 0.
Went from a few port 0 alerts a day (under 50) to over 2,800 since yesterday around 4:00 PM. Multiple sources, multiple destinations across all of our public IP space. Source and Destination are both port 0, at least if the few I've had time to look at. Christmas Tree scan-like in the TCP flags. (FIN, SYN,RST, PSH, ACK, Reserved, etc)
Hi,

We are having the same sort of attacks and have been for the last month or so, each night we get flooded with port 0 traffic and last night from 111.8.17.50 and this is the same problem as above I think. Does anyone have any suggestions on what we can do? Here are some other IPs we get attacked from:
166.78.24.147
162.243.40.151
173.45.238.125
50.56.176.218

Any help would be appreciated!
All Denied using 871 Cisco...

4.79.142.206 8X
123.151.42.61 (12201)
175.155.14.178
183.105.55.200 5X
58.208.223.156
91.238.64.166
95.67.168.75

Though not port 0... some scumbag on a pyscho net 216.35.15.152 I see no connection in his future.

Diary Archives