I must have miscommunicated in my last posting so I hope this clarifies
things a bit.
I didn't say there wasn't any significance to 'port 0' in all packets,
just ICMP. ICMP does NOT use ports (that is a TCP and UDP construct) so
if the protocol riding on IP is ICMP and not TCP or UDP, then a port
number is meaningless.
Hping sends **TCP** packets to port 0 on a host, not **ICMP**. In that
situation, port 0 has meaning--it can possibly tell you what tool is
operating and why.
The reason you often see logs show a port number of 0 for ICMP traffic is
not because ICMP actually went to port 0, it's because the fields are
generally tuned to TCP and UDP traffic so rather than putting nothing in
the field, tools often put 0. But don't be fooled into thinking it
*actually* went to port 0 because it didn't go to any port at all.
Remember, ICMP doesn't use ports!
-Jason
On Wed, 15 Dec 1999, Ron DuFresne wrote:
> Date: Wed, 15 Dec 1999 19:39:50 -0600 (CST)
> From: Ron DuFresne <[EMAIL PROTECTED]>
> To: Jason Axley <[EMAIL PROTECTED]>
> Subject: Re: Something about port 0
>
> On Wed, 15 Dec 1999, Jason Axley wrote:
>
> > There really isn't any significance to the 'port 0' part of the log entry
> > because ICMP is not TCP or UDP and does not have the concept of a port
> > number.
> >
> > It will all depend on the ICMP packet types to know what the potential
> > attacker was attempting. If they were just ICMP echo requests (i.e.
> > pings), they may have been attempting to see if certain IPs were being
> > used in your organization.
>
>
> I disagree, port 0 to me identifes this as someone most likely playing
> with hping or hping2, it send bby default to port 0.
>
> Thanks,
>
> Ron Dufresne
>
>
> >
> > -Jason
> >
> > On Wed, 15 Dec 1999, Edy - UOL wrote:
> >
> > > Date: Wed, 15 Dec 1999 15:27:05 -0200
> > > From: Edy - UOL <[EMAIL PROTECTED]>
> > > To: firewall-lista <[EMAIL PROTECTED]>
> > > Subject: Something about port 0
> > >
> > > Hello all,
> > >
> > >
> > > In my log files, I am seen an ip address that send to me many icmp packets
> > > to search my network 200.224.x.1 to 200.224.x.255 on port 0 ( zero).
> > >
> > > What is looks like ??? This is an icmp attack to discovery wich server are
> > > in this network ??
> > >
> > > THx all,
> > >
> > > Edy Rojas.
> > >
> > >
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> >
> >
> > AT&T Wireless Services
> > IT Security
> > UNIX Security Operations Specialist
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
>
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
