tcp port zero...

Neil Long neil.long at computing-services.oxford.ac.uk
Sun Apr 22 18:24:09 EDT 2001 

Hi Russell

I believe these are backwash from remote IPs being 'packeted' with something
called "kickem" - I see them as well

The remote target is sometimes port 0 but more often 6667, 23, etc - the
clue is in the use of 'src' ports 1024 and 3072.

I haven't found the source to this one...

Neil

> HI,
> I know I have asked this before but I have lost the reply
> (sigh...)
>
> I am seeing a sprinkling of argus records with tcp port 0 :
>
> 2001-04-22-00:47:39 tcp 152.66.99.19 0 ?> 130.216.134.85 1024 1 0 0 0 RA
> 2001-04-22-00:47:55 tcp 152.66.99.19 0 ?> 130.216.235.39 1024 1 0 0 0 RA
> 2001-04-22-00:51:33 tcp 63.237.94.41 0 ?> 130.216.116.106 1024 1 0 0 0 RA
> 2001-04-22-00:52:57 tcp 63.237.94.41 0 ?> 130.216.136.116 1024 1 0 0 0 RA
> 2001-04-22-00:55:17 tcp 63.237.94.41 0 ?> 130.216.184.126 1024 1 0 0 0 RA
> 2001-04-22-00:56:12 tcp 63.237.94.41 0 ?> 130.216.240.53 1024 1 0 0 0 RA
> 2001-04-22-01:43:57 tcp 172.16.1.253 1593 ?> 130.216.35.105 0 1 0 0 0 R
> 2001-04-22-01:43:58 tcp 172.16.1.253 1584 ?> 130.216.35.105 0 1 0 0 0 R
> 2001-04-22-01:44:20 tcp 172.16.1.253 1597 ?> 130.216.35.105 0 1 0 0 0 R
> 2001-04-22-01:44:20 tcp 172.16.1.253 1595 ?> 130.216.35.105 0 1 0 0 0 R
> 2001-04-22-02:34:25 tcp 24.226.30.55 0 ?> 130.216.6.79 3072 1 0 0 0 RA
> 2001-04-22-03:09:48 tcp 195.132.225.24 0 ?> 130.216.72.64 3072 1 0 0 0 RA
> 2001-04-22-03:11:31 tcp 195.132.225.24 0 ?> 130.216.231.3 1024 1 0 0 0 RA
> 2001-04-22-04:33:31 tcp 208.185.175.154 0 ?> 130.216.151.26 3072 1 0 0 0
RA
> 2001-04-22-04:34:24 I tcp 208.185.175.154 0 ?> 130.216.32.32 3072 1 0 0 0
RA
> 2001-04-22-04:34:47 tcp 208.185.175.154 0 ?> 130.216.210.72 3072 1 0 0 0
RA
> 2001-04-22-04:36:13 tcp 208.185.175.154 0 ?> 130.216.232.104 1024 1 0 0 0
RA
> 2001-04-22-04:36:33 tcp 208.185.175.154 0 ?> 130.216.178.81 3072 1 0 0 0
RA
> 2001-04-22-04:36:47 tcp 208.185.175.154 0 ?> 130.216.118.57 3072 1 0 0 0
RA
> 2001-04-22-04:37:00 tcp 208.185.175.154 0 ?> 130.216.13.73 3072 1 0 0 0 RA
> 2001-04-22-04:37:04 tcp 208.185.175.154 0 ?> 130.216.215.90 3072 1 0 0 0
RA
> 2001-04-22-04:37:10 tcp 208.185.175.154 0 ?> 130.216.212.109 1024 1 0 0 0
RA
> 2001-04-22-04:37:23 tcp 208.185.175.154 0 ?> 130.216.45.89 1024 1 0 0 0 RA
> 2001-04-22-04:37:24 tcp 208.185.175.154 0 ?> 130.216.38.107 1024 1 0 0 0
RA
> 2001-04-22-04:37:30 tcp 208.185.175.154 0 ?> 130.216.114.67 1024 1 0 0 0
RA
> 2001-04-22-04:37:35 tcp 208.185.175.154 0 ?> 130.216.96.74 3072 1 0 0 0 RA
> 2001-04-22-04:37:38 tcp 208.185.175.154 0 ?> 130.216.7.124 3072 1 0 0 0 RA
> 2001-04-22-04:38:03 tcp 208.185.175.154 0 ?> 130.216.209.110 3072 1 0 0 0
RA
> 2001-04-22-04:38:03 tcp 208.185.175.154 0 ?> 130.216.208.39 1024 1 0 0 0
RA
> 2001-04-22-04:38:13 tcp 208.185.175.154 0 ?> 130.216.58.109 1024 1 0 0 0
RA
> 2001-04-22-04:38:17 tcp 208.185.175.154 0 ?> 130.216.211.75 1024 1 0 0 0
RA
> 2001-04-22-04:38:19 I tcp 208.185.175.154 0 ?> 130.216.35.38 3072 1 0 0 0
RA
> 2001-04-22-04:39:07 tcp 208.185.175.154 0 ?> 130.216.124.87 1024 1 0 0 0
RA
> 2001-04-22-04:39:15 tcp 208.185.175.154 0 ?> 130.216.219.64 3072 1 0 0 0
RA
> 2001-04-22-04:39:44 tcp 208.185.175.154 0 ?> 130.216.206.62 1024 1 0 0 0
RA
> 2001-04-22-04:40:09 tcp 208.185.175.154 0 ?> 130.216.123.51 1024 1 0 0 0
RA
> 2001-04-22-04:42:06 tcp 208.185.175.154 0 ?> 130.216.165.57 1024 1 0 0 0
RA
> 2001-04-22-04:42:16 tcp 208.185.175.154 0 ?> 130.216.185.42 1024 1 0 0 0
RA
> 2001-04-22-04:42:51 tcp 208.185.175.154 0 ?> 130.216.99.12 3072 1 0 0 0 RA
> 2001-04-22-04:43:07 tcp 208.185.175.154 0 ?> 130.216.134.10 1024 1 0 0 0
RA
> 2001-04-22-04:44:02 tcp 208.185.175.154 0 ?> 130.216.29.28 3072 1 0 0 0 RA
> 2001-04-22-04:44:18 tcp 208.185.175.154 0 ?> 130.216.83.44 1024 1 0 0 0 RA
> 2001-04-22-04:45:05 tcp 208.185.175.154 0 ?> 130.216.132.73 3072 1 0 0 0
RA
> 2001-04-22-04:45:12 tcp 208.185.175.154 0 ?> 130.216.216.113 3072 1 0 0 0
RA
> 2001-04-22-04:45:40 tcp 208.185.175.154 0 ?> 130.216.57.91 3072 1 0 0 0 RA
> 2001-04-22-04:46:24 tcp 208.185.175.154 0 ?> 130.216.96.125 3072 1 0 0 0
RA
> 2001-04-22-05:35:57 tcp 216.230.133.212 1 ?> 130.216.224.33 0 1 0 0 0 R
> 2001-04-22-07:26:08 tcp 216.103.43.122 0 ?> 130.216.178.108 3072 1 0 0 0
RA
> 2001-04-22-07:42:34 tcp 216.103.43.122 0 ?> 130.216.186.38 3072 1 0 0 0 RA
> 2001-04-22-07:59:58 tcp 24.22.106.29 0 ?> 130.216.22.126 1024 1 0 0 0 RA
> 2001-04-22-11:40:45 tcp 63.147.195.222 0 ?> 130.216.240.110 1024 1 0 0 0
RA
> 2001-04-22-11:43:24 tcp 63.147.195.222 0 ?> 130.216.191.62 1024 1 0 0 0 RA
> 2001-04-22-14:56:13 tcp 62.82.66.34 0 ?> 130.216.174.90 1024 1 0 0 0 RA
> 2001-04-22-17:34:01 tcp 202.143.71.42 0 ?> 130.216.191.67 1767 1 0 0 0
RPA7
> 2001-04-22-22:56:42 tcp 24.240.93.18 0 ?> 130.216.97.82 3072 1 0 0 0 RA
> 2001-04-22-23:05:24 tcp 24.67.113.99 0 ?> 130.216.146.69 3072 1 0 0 0 RA
> 2001-04-22-23:05:36 tcp 24.67.113.99 0 ?> 130.216.187.81 1024 1 0 0 0 RA
> 2001-04-22-23:05:46 tcp 24.67.113.99 0 ?> 130.216.202.33 3072 1 0 0 0 RA
> 2001-04-22-23:06:51 tcp 24.67.113.99 0 ?> 130.216.198.79 3072 1 0 0 0 RA
> 2001-04-22-23:08:18 tcp 24.67.113.99 0 ?> 130.216.89.9 1024 1 0 0 0 RA
> 2001-04-22-23:08:20 tcp 24.67.113.99 0 ?> 130.216.211.123 1024 1 0 0 0 RA
>
> Would someone please refresh my memory as to what these represent.  I
> seem to remember that these can be either packets with a the port
> number set to zero (I think that's the case here) but they can also
> represent agregated records (not possible here since I have not done
> any port aggregation).  Is there any other interpretation.
>
> Anyone have any ideas as to what caused these packets, seems
> significant that they are all resets.  My best guess is that these are
> fall out from a DoS against the sending system using random port
> numbers and IP addresses.
>
>
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
>
>

More information about the argus mailing list