[AusNOG] port 0 probes
Alex Samad - Yieldbroker
Alex.Samad at yieldbroker.com
Tue Oct 7 11:47:08 EST 2014
Na
Looks like tcp to me
1:41:27.363636 IP 206.123.71.35.0 > 202.74.32.48.0: tcp 32 [bad hdr length 8 - too short, < 20]
11:41:28.206239 IP 49.156.17.118.0 > 202.74.32.114.0: tcp 28 [bad hdr length 12 - too short, < 20]
11:41:29.798972 IP 195.50.80.142.0 > 175.45.112.11.0: tcp 32 [bad hdr length 8 - too short, < 20]
To ip's that are not being used !
A
> -----Original Message-----
> From: Andree Toonk [mailto:andree at bgpmon.net]
> Sent: Tuesday, 7 October 2014 11:45 AM
> To: Alex Samad - Yieldbroker
> Cc: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] port 0 probes
>
> Hi Alex,
>
> Not sure where you're seeing this, but if it's in netflow: most routers typically
> mark non-initial fragments as port 0.
>
> So if you see udp port 0 ports in netflow it's most likely udp fragments.
> Typically you'll see the same increase in 1500 byte packets (the initial packet).
>
> Cheers,
> Andree
>
>
> .-- My secret spy satellite informs me that at 2014-10-06 5:34 PM Alex Samad
> - Yieldbroker wrote:
> > Hi
> >
> >
> >
> > I am seeing a marked increase src port 0 and dst port 0 packets.
> > Anyone else seeing this.
> >
> >
> >
> > I presume this is some sort of probe.
> >
> >
> >
> > Is there a legal reason to use port 0 ?
> >
> >
> >
> > A
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list