tcp port zero...

Russell Fulton r.fulton at auckland.ac.nz
Sun Apr 22 18:19:42 EDT 2001 

HI,
	I know I have asked this before but I have lost the reply 
(sigh...)

I am seeing a sprinkling of argus records with tcp port 0 :

2001-04-22-00:47:39		tcp	152.66.99.19	0	?>	130.216.134.85	1024	1	0	0	0	RA
2001-04-22-00:47:55		tcp	152.66.99.19	0	?>	130.216.235.39	1024	1	0	0	0	RA
2001-04-22-00:51:33		tcp	63.237.94.41	0	?>	130.216.116.106	1024	1	0	0	0	RA
2001-04-22-00:52:57		tcp	63.237.94.41	0	?>	130.216.136.116	1024	1	0	0	0	RA
2001-04-22-00:55:17		tcp	63.237.94.41	0	?>	130.216.184.126	1024	1	0	0	0	RA
2001-04-22-00:56:12		tcp	63.237.94.41	0	?>	130.216.240.53	1024	1	0	0	0	RA
2001-04-22-01:43:57		tcp	172.16.1.253	1593	?>	130.216.35.105	0	1	0	0	0	R
2001-04-22-01:43:58		tcp	172.16.1.253	1584	?>	130.216.35.105	0	1	0	0	0	R
2001-04-22-01:44:20		tcp	172.16.1.253	1597	?>	130.216.35.105	0	1	0	0	0	R
2001-04-22-01:44:20		tcp	172.16.1.253	1595	?>	130.216.35.105	0	1	0	0	0	R
2001-04-22-02:34:25		tcp	24.226.30.55	0	?>	130.216.6.79	3072	1	0	0	0	RA
2001-04-22-03:09:48		tcp	195.132.225.24	0	?>	130.216.72.64	3072	1	0	0	0	RA
2001-04-22-03:11:31		tcp	195.132.225.24	0	?>	130.216.231.3	1024	1	0	0	0	RA
2001-04-22-04:33:31		tcp	208.185.175.154	0	?>	130.216.151.26	3072	1	0	0	0	RA
2001-04-22-04:34:24	I	tcp	208.185.175.154	0	?>	130.216.32.32	3072	1	0	0	0	RA
2001-04-22-04:34:47		tcp	208.185.175.154	0	?>	130.216.210.72	3072	1	0	0	0	RA
2001-04-22-04:36:13		tcp	208.185.175.154	0	?>	130.216.232.104	1024	1	0	0	0	RA
2001-04-22-04:36:33		tcp	208.185.175.154	0	?>	130.216.178.81	3072	1	0	0	0	RA
2001-04-22-04:36:47		tcp	208.185.175.154	0	?>	130.216.118.57	3072	1	0	0	0	RA
2001-04-22-04:37:00		tcp	208.185.175.154	0	?>	130.216.13.73	3072	1	0	0	0	RA
2001-04-22-04:37:04		tcp	208.185.175.154	0	?>	130.216.215.90	3072	1	0	0	0	RA
2001-04-22-04:37:10		tcp	208.185.175.154	0	?>	130.216.212.109	1024	1	0	0	0	RA
2001-04-22-04:37:23		tcp	208.185.175.154	0	?>	130.216.45.89	1024	1	0	0	0	RA
2001-04-22-04:37:24		tcp	208.185.175.154	0	?>	130.216.38.107	1024	1	0	0	0	RA
2001-04-22-04:37:30		tcp	208.185.175.154	0	?>	130.216.114.67	1024	1	0	0	0	RA
2001-04-22-04:37:35		tcp	208.185.175.154	0	?>	130.216.96.74	3072	1	0	0	0	RA
2001-04-22-04:37:38		tcp	208.185.175.154	0	?>	130.216.7.124	3072	1	0	0	0	RA
2001-04-22-04:38:03		tcp	208.185.175.154	0	?>	130.216.209.110	3072	1	0	0	0	RA
2001-04-22-04:38:03		tcp	208.185.175.154	0	?>	130.216.208.39	1024	1	0	0	0	RA
2001-04-22-04:38:13		tcp	208.185.175.154	0	?>	130.216.58.109	1024	1	0	0	0	RA
2001-04-22-04:38:17		tcp	208.185.175.154	0	?>	130.216.211.75	1024	1	0	0	0	RA
2001-04-22-04:38:19	I	tcp	208.185.175.154	0	?>	130.216.35.38	3072	1	0	0	0	RA
2001-04-22-04:39:07		tcp	208.185.175.154	0	?>	130.216.124.87	1024	1	0	0	0	RA
2001-04-22-04:39:15		tcp	208.185.175.154	0	?>	130.216.219.64	3072	1	0	0	0	RA
2001-04-22-04:39:44		tcp	208.185.175.154	0	?>	130.216.206.62	1024	1	0	0	0	RA
2001-04-22-04:40:09		tcp	208.185.175.154	0	?>	130.216.123.51	1024	1	0	0	0	RA
2001-04-22-04:42:06		tcp	208.185.175.154	0	?>	130.216.165.57	1024	1	0	0	0	RA
2001-04-22-04:42:16		tcp	208.185.175.154	0	?>	130.216.185.42	1024	1	0	0	0	RA
2001-04-22-04:42:51		tcp	208.185.175.154	0	?>	130.216.99.12	3072	1	0	0	0	RA
2001-04-22-04:43:07		tcp	208.185.175.154	0	?>	130.216.134.10	1024	1	0	0	0	RA
2001-04-22-04:44:02		tcp	208.185.175.154	0	?>	130.216.29.28	3072	1	0	0	0	RA
2001-04-22-04:44:18		tcp	208.185.175.154	0	?>	130.216.83.44	1024	1	0	0	0	RA
2001-04-22-04:45:05		tcp	208.185.175.154	0	?>	130.216.132.73	3072	1	0	0	0	RA
2001-04-22-04:45:12		tcp	208.185.175.154	0	?>	130.216.216.113	3072	1	0	0	0	RA
2001-04-22-04:45:40		tcp	208.185.175.154	0	?>	130.216.57.91	3072	1	0	0	0	RA
2001-04-22-04:46:24		tcp	208.185.175.154	0	?>	130.216.96.125	3072	1	0	0	0	RA
2001-04-22-05:35:57		tcp	216.230.133.212	1	?>	130.216.224.33	0	1	0	0	0	R
2001-04-22-07:26:08		tcp	216.103.43.122	0	?>	130.216.178.108	3072	1	0	0	0	RA
2001-04-22-07:42:34		tcp	216.103.43.122	0	?>	130.216.186.38	3072	1	0	0	0	RA
2001-04-22-07:59:58		tcp	24.22.106.29	0	?>	130.216.22.126	1024	1	0	0	0	RA
2001-04-22-11:40:45		tcp	63.147.195.222	0	?>	130.216.240.110	1024	1	0	0	0	RA
2001-04-22-11:43:24		tcp	63.147.195.222	0	?>	130.216.191.62	1024	1	0	0	0	RA
2001-04-22-14:56:13		tcp	62.82.66.34	0	?>	130.216.174.90	1024	1	0	0	0	RA
2001-04-22-17:34:01		tcp	202.143.71.42	0	?>	130.216.191.67	1767	1	0	0	0	RPA7
2001-04-22-22:56:42		tcp	24.240.93.18	0	?>	130.216.97.82	3072	1	0	0	0	RA
2001-04-22-23:05:24		tcp	24.67.113.99	0	?>	130.216.146.69	3072	1	0	0	0	RA
2001-04-22-23:05:36		tcp	24.67.113.99	0	?>	130.216.187.81	1024	1	0	0	0	RA
2001-04-22-23:05:46		tcp	24.67.113.99	0	?>	130.216.202.33	3072	1	0	0	0	RA
2001-04-22-23:06:51		tcp	24.67.113.99	0	?>	130.216.198.79	3072	1	0	0	0	RA
2001-04-22-23:08:18		tcp	24.67.113.99	0	?>	130.216.89.9	1024	1	0	0	0	RA
2001-04-22-23:08:20		tcp	24.67.113.99	0	?>	130.216.211.123	1024	1	0	0	0	RA

Would someone please refresh my memory as to what these represent.  I 
seem to remember that these can be either packets with a the port 
number set to zero (I think that's the case here) but they can also 
represent agregated records (not possible here since I have not done 
any port aggregation).  Is there any other interpretation.

Anyone have any ideas as to what caused these packets, seems 
significant that they are all resets.  My best guess is that these are 
fall out from a DoS against the sending system using random port 
numbers and IP addresses.


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the argus mailing list