I hadn't planned on replying to this thread. I answered Ola's original
query privately. Port 0 is a perfectly legitimate source port for UDP.
It is not a legitimate destination port. For example, it is specified as
one of the two source ports which may be used by IKE (the other is
port 500). This information is available in rfcs for UDP, TCP, and you
can also review all the assigned ports (and all sorts of other assigned
numbers) at the IANA site (www.iana.org).
Hope this helps,
rwt
--
Robert Tashjian
[EMAIL PROTECTED]
----- Original Message -----
From: "Igor Gashinsky" <[EMAIL PROTECTED]>
To: "Ola Samuelson" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, April 06, 2000 8:06 PM
Subject: Re: Port 0
> Ola,
>
> Generally, there should be absolutely no traffic coming from port 0 of any
> machine. Any traffic from port 0 should be concidered highly suspicious and
> investigated promptly, since it is usually indicative of crafted packets.
> If the traffic is coming from your DMZ, you should examine who has root or
> sudo privilages on that machine, and asses if they could have installed/ran
> some tool that manufactures packets (ippacket, nmap, etc). If you do not
> see those around, and/or see that nobody was logged onto your machine when
> you saw those packets, it is time to break out that tripwire database, and
> check the binaries, because it is possible that it has been "rooted".
>
> If you want to post the trace of this communication to the list, maybe we
> could be of more help.
>
> -Igor Gashinsky, GCIA
>
> At 10:48 AM 4/6/00 +0200, Ola Samuelson wrote:
> >Hi!
> >Sure this has been discussed but ... what is going on when a machine
> >from
> >the DMZ communicates via port 0 to unknown host.
> >Thanks!
> >
> >//OS
> >
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
