Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More Bad Port 0 Traffic

Published: 2013-11-25
Last Updated: 2013-11-25 20:57:57 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Thanks to an alert reader for sending us a few odd packets with "port 0" traffic. In this case, we got full packet captures, and the packets just don't make sense.

The TTL of the packet changes with source IP address, making spoofing less likely. The TCP headers overall don't make much sense. There are packets with a TCP header length of 0, or packets with odd flag combinations. This could be an attempt to fingerprint, but even compared to nmap, this is very noisy. The packets arrive rather slow, far from DDoS levels.

Here are a couple samples (I anonymised the target IP). Any hints as to what could cause this are welcome. 

IP truncated-ip - 4 bytes missing! (tos 0x0, ttl 52, id 766, offset 0, flags [DF], proto TCP (6), length 88)
    94.102.63.55.0 > 10.10.10.10.0:  tcp 68 [bad hdr length 0 - too short, < 20]

0x0000:  4500 0058 02fe 4000 3406 91f1 5e66 3f37
0x0010:  0a0a 0a0a 0000 0000 55c3 7203 0000 0000
0x0020:  0c00 0050 418b 0000 6e82 ef01 0000 0000
0x0030:  25b0 ce4b 0000 0000 a002 3cb0 9a8b 0000
0x0040:  0204 0f2c 0402 080a 0005 272d 0005 272d
0x0050:  0103 0300

IP truncated-ip - 4 bytes missing! (tos 0x10, ttl 47, id 28629, offset 0, flags [DF], proto TCP (6), length 60)
    46.137.48.107.0 > 10.10.10.10.0: Flags [P.UW] [bad hdr length 56 - too long, > 40]
0x0000:  4510 003c 6fd5 4000 2f06 68cf 2e89 306b
0x0010:  0a0a 0a0a 0000 0000 51a9 89b8 0000 0000
0x0020:  e6b8 0050 b315 0000 ec67 0d66 0000 0000
0x0030:  0000 0000 0000 0000

IP truncated-ip - 4 bytes missing! (tos 0x80, ttl 51, id 45284, offset 0, flags [DF], proto TCP (6), length 60)
    186.202.179.99.0 > 10.10.10.10.0: Flags [SUW], seq 1603085765, win 27016, urg 0, options [[bad opt]

0x0000:  4580 003c b0e4 4000 3306 1416 baca b363
0x0010:  0a0a 0a0a 0000 0000 5f8d 25c5 0000 0000
0x0020:  aba2 6988 23fa 0000 f271 af2a 0000 0000
0x0030:  0000 0000 0000 0000

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: port 0
6 comment(s)
Diary Archives