tcp port zero...

Carter Bullard carter at qosient.com
Sun Apr 22 19:34:04 EDT 2001 

Hey Guys,
   ragator will set the port numbers to 0xFFFF if the
records to be merged have different port numbers.
So, ...,  a zero port value is definitely from the network.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

   

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Neil Long
> Sent: Sunday, April 22, 2001 6:24 PM
> To: Russell Fulton; argus-info at lists.andrew.cmu.edu
> Subject: Re: tcp port zero...
> 
> 
> Hi Russell
> 
> I believe these are backwash from remote IPs being 'packeted' 
> with something
> called "kickem" - I see them as well
> 
> The remote target is sometimes port 0 but more often 6667, 
> 23, etc - the
> clue is in the use of 'src' ports 1024 and 3072.
> 
> I haven't found the source to this one...
> 
> Neil
> 
> > HI,
> > I know I have asked this before but I have lost the reply
> > (sigh...)
> >
> > I am seeing a sprinkling of argus records with tcp port 0 :
> >
> > 2001-04-22-00:47:39 tcp 152.66.99.19 0 ?> 130.216.134.85 
> 1024 1 0 0 0 RA
> > 2001-04-22-00:47:55 tcp 152.66.99.19 0 ?> 130.216.235.39 
> 1024 1 0 0 0 RA
> > 2001-04-22-00:51:33 tcp 63.237.94.41 0 ?> 130.216.116.106 
> 1024 1 0 0 0 RA
> > 2001-04-22-00:52:57 tcp 63.237.94.41 0 ?> 130.216.136.116 
> 1024 1 0 0 0 RA
> > 2001-04-22-00:55:17 tcp 63.237.94.41 0 ?> 130.216.184.126 
> 1024 1 0 0 0 RA
> > 2001-04-22-00:56:12 tcp 63.237.94.41 0 ?> 130.216.240.53 
> 1024 1 0 0 0 RA
> > 2001-04-22-01:43:57 tcp 172.16.1.253 1593 ?> 130.216.35.105 
> 0 1 0 0 0 R
> > 2001-04-22-01:43:58 tcp 172.16.1.253 1584 ?> 130.216.35.105 
> 0 1 0 0 0 R
> > 2001-04-22-01:44:20 tcp 172.16.1.253 1597 ?> 130.216.35.105 
> 0 1 0 0 0 R
> > 2001-04-22-01:44:20 tcp 172.16.1.253 1595 ?> 130.216.35.105 
> 0 1 0 0 0 R
> > 2001-04-22-02:34:25 tcp 24.226.30.55 0 ?> 130.216.6.79 3072 
> 1 0 0 0 RA
> > 2001-04-22-03:09:48 tcp 195.132.225.24 0 ?> 130.216.72.64 
> 3072 1 0 0 0 RA
> > 2001-04-22-03:11:31 tcp 195.132.225.24 0 ?> 130.216.231.3 
> 1024 1 0 0 0 RA
> > 2001-04-22-04:33:31 tcp 208.185.175.154 0 ?> 130.216.151.26 
> 3072 1 0 0 0
> RA
> > 2001-04-22-04:34:24 I tcp 208.185.175.154 0 ?> 
> 130.216.32.32 3072 1 0 0 0
> RA
> > 2001-04-22-04:34:47 tcp 208.185.175.154 0 ?> 130.216.210.72 
> 3072 1 0 0 0
> RA
> > 2001-04-22-04:36:13 tcp 208.185.175.154 0 ?> 
> 130.216.232.104 1024 1 0 0 0
> RA
> > 2001-04-22-04:36:33 tcp 208.185.175.154 0 ?> 130.216.178.81 
> 3072 1 0 0 0
> RA
> > 2001-04-22-04:36:47 tcp 208.185.175.154 0 ?> 130.216.118.57 
> 3072 1 0 0 0
> RA
> > 2001-04-22-04:37:00 tcp 208.185.175.154 0 ?> 130.216.13.73 
> 3072 1 0 0 0 RA
> > 2001-04-22-04:37:04 tcp 208.185.175.154 0 ?> 130.216.215.90 
> 3072 1 0 0 0
> RA
> > 2001-04-22-04:37:10 tcp 208.185.175.154 0 ?> 
> 130.216.212.109 1024 1 0 0 0
> RA
> > 2001-04-22-04:37:23 tcp 208.185.175.154 0 ?> 130.216.45.89 
> 1024 1 0 0 0 RA
> > 2001-04-22-04:37:24 tcp 208.185.175.154 0 ?> 130.216.38.107 
> 1024 1 0 0 0
> RA
> > 2001-04-22-04:37:30 tcp 208.185.175.154 0 ?> 130.216.114.67 
> 1024 1 0 0 0
> RA
> > 2001-04-22-04:37:35 tcp 208.185.175.154 0 ?> 130.216.96.74 
> 3072 1 0 0 0 RA
> > 2001-04-22-04:37:38 tcp 208.185.175.154 0 ?> 130.216.7.124 
> 3072 1 0 0 0 RA
> > 2001-04-22-04:38:03 tcp 208.185.175.154 0 ?> 
> 130.216.209.110 3072 1 0 0 0
> RA
> > 2001-04-22-04:38:03 tcp 208.185.175.154 0 ?> 130.216.208.39 
> 1024 1 0 0 0
> RA
> > 2001-04-22-04:38:13 tcp 208.185.175.154 0 ?> 130.216.58.109 
> 1024 1 0 0 0
> RA
> > 2001-04-22-04:38:17 tcp 208.185.175.154 0 ?> 130.216.211.75 
> 1024 1 0 0 0
> RA
> > 2001-04-22-04:38:19 I tcp 208.185.175.154 0 ?> 
> 130.216.35.38 3072 1 0 0 0
> RA
> > 2001-04-22-04:39:07 tcp 208.185.175.154 0 ?> 130.216.124.87 
> 1024 1 0 0 0
> RA
> > 2001-04-22-04:39:15 tcp 208.185.175.154 0 ?> 130.216.219.64 
> 3072 1 0 0 0
> RA
> > 2001-04-22-04:39:44 tcp 208.185.175.154 0 ?> 130.216.206.62 
> 1024 1 0 0 0
> RA
> > 2001-04-22-04:40:09 tcp 208.185.175.154 0 ?> 130.216.123.51 
> 1024 1 0 0 0
> RA
> > 2001-04-22-04:42:06 tcp 208.185.175.154 0 ?> 130.216.165.57 
> 1024 1 0 0 0
> RA
> > 2001-04-22-04:42:16 tcp 208.185.175.154 0 ?> 130.216.185.42 
> 1024 1 0 0 0
> RA
> > 2001-04-22-04:42:51 tcp 208.185.175.154 0 ?> 130.216.99.12 
> 3072 1 0 0 0 RA
> > 2001-04-22-04:43:07 tcp 208.185.175.154 0 ?> 130.216.134.10 
> 1024 1 0 0 0
> RA
> > 2001-04-22-04:44:02 tcp 208.185.175.154 0 ?> 130.216.29.28 
> 3072 1 0 0 0 RA
> > 2001-04-22-04:44:18 tcp 208.185.175.154 0 ?> 130.216.83.44 
> 1024 1 0 0 0 RA
> > 2001-04-22-04:45:05 tcp 208.185.175.154 0 ?> 130.216.132.73 
> 3072 1 0 0 0
> RA
> > 2001-04-22-04:45:12 tcp 208.185.175.154 0 ?> 
> 130.216.216.113 3072 1 0 0 0
> RA
> > 2001-04-22-04:45:40 tcp 208.185.175.154 0 ?> 130.216.57.91 
> 3072 1 0 0 0 RA
> > 2001-04-22-04:46:24 tcp 208.185.175.154 0 ?> 130.216.96.125 
> 3072 1 0 0 0
> RA
> > 2001-04-22-05:35:57 tcp 216.230.133.212 1 ?> 130.216.224.33 
> 0 1 0 0 0 R
> > 2001-04-22-07:26:08 tcp 216.103.43.122 0 ?> 130.216.178.108 
> 3072 1 0 0 0
> RA
> > 2001-04-22-07:42:34 tcp 216.103.43.122 0 ?> 130.216.186.38 
> 3072 1 0 0 0 RA
> > 2001-04-22-07:59:58 tcp 24.22.106.29 0 ?> 130.216.22.126 
> 1024 1 0 0 0 RA
> > 2001-04-22-11:40:45 tcp 63.147.195.222 0 ?> 130.216.240.110 
> 1024 1 0 0 0
> RA
> > 2001-04-22-11:43:24 tcp 63.147.195.222 0 ?> 130.216.191.62 
> 1024 1 0 0 0 RA
> > 2001-04-22-14:56:13 tcp 62.82.66.34 0 ?> 130.216.174.90 
> 1024 1 0 0 0 RA
> > 2001-04-22-17:34:01 tcp 202.143.71.42 0 ?> 130.216.191.67 
> 1767 1 0 0 0
> RPA7
> > 2001-04-22-22:56:42 tcp 24.240.93.18 0 ?> 130.216.97.82 
> 3072 1 0 0 0 RA
> > 2001-04-22-23:05:24 tcp 24.67.113.99 0 ?> 130.216.146.69 
> 3072 1 0 0 0 RA
> > 2001-04-22-23:05:36 tcp 24.67.113.99 0 ?> 130.216.187.81 
> 1024 1 0 0 0 RA
> > 2001-04-22-23:05:46 tcp 24.67.113.99 0 ?> 130.216.202.33 
> 3072 1 0 0 0 RA
> > 2001-04-22-23:06:51 tcp 24.67.113.99 0 ?> 130.216.198.79 
> 3072 1 0 0 0 RA
> > 2001-04-22-23:08:18 tcp 24.67.113.99 0 ?> 130.216.89.9 1024 
> 1 0 0 0 RA
> > 2001-04-22-23:08:20 tcp 24.67.113.99 0 ?> 130.216.211.123 
> 1024 1 0 0 0 RA
> >
> > Would someone please refresh my memory as to what these 
> represent.  I
> > seem to remember that these can be either packets with a the port
> > number set to zero (I think that's the case here) but they can also
> > represent agregated records (not possible here since I have not done
> > any port aggregation).  Is there any other interpretation.
> >
> > Anyone have any ideas as to what caused these packets, seems
> > significant that they are all resets.  My best guess is 
> that these are
> > fall out from a DoS against the sending system using random port
> > numbers and IP addresses.
> >
> >
> > Russell Fulton, Computer and Network Security Officer
> > The University of Auckland,  New Zealand
> >
> >
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010422/fce3df13/attachment.html>

More information about the argus mailing list