[AusNOG] port 0 probes

Joshua D'Alton joshua at railgun.com.au
Tue Oct 7 11:51:47 EST 2014


>From my research it is spoofed traffic and malformed packets potentially.
I've seen it mostly in larger DDoS but it could be from other things.

sent from a potato
On 07/10/2014 11:47 am, "Alex Samad - Yieldbroker" <
Alex.Samad at yieldbroker.com> wrote:

> Na
>
> Looks like tcp to me
>
> 1:41:27.363636 IP 206.123.71.35.0 > 202.74.32.48.0:  tcp 32 [bad hdr
> length 8 - too short, < 20]
> 11:41:28.206239 IP 49.156.17.118.0 > 202.74.32.114.0:  tcp 28 [bad hdr
> length 12 - too short, < 20]
> 11:41:29.798972 IP 195.50.80.142.0 > 175.45.112.11.0:  tcp 32 [bad hdr
> length 8 - too short, < 20]
>
> To ip's that are not being used !
>
> A
>
> > -----Original Message-----
> > From: Andree Toonk [mailto:andree at bgpmon.net]
> > Sent: Tuesday, 7 October 2014 11:45 AM
> > To: Alex Samad - Yieldbroker
> > Cc: ausnog at lists.ausnog.net
> > Subject: Re: [AusNOG] port 0 probes
> >
> > Hi Alex,
> >
> > Not sure where you're seeing this, but if it's in netflow: most routers
> typically
> > mark non-initial fragments as port 0.
> >
> > So if you see udp port 0 ports in netflow it's most likely udp fragments.
> > Typically you'll see the same increase in 1500 byte packets (the initial
> packet).
> >
> > Cheers,
> >  Andree
> >
> >
> > .-- My secret spy satellite informs me that at 2014-10-06 5:34 PM  Alex
> Samad
> > - Yieldbroker wrote:
> > > Hi
> > >
> > >
> > >
> > > I am seeing a marked increase src port 0 and dst port 0 packets.
> > > Anyone else seeing this.
> > >
> > >
> > >
> > > I presume this is some sort of probe.
> > >
> > >
> > >
> > > Is there a legal reason to use port 0 ?
> > >
> > >
> > >
> > > A
> > >
> > > _______________________________________________
> > > AusNOG mailing list
> > > AusNOG at lists.ausnog.net
> > > http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20141007/20142dea/attachment.html>


More information about the AusNOG mailing list