September 17th, 2003, 09:07 PM
I`m running Pure Secure IDS, i have just come to check the logs and have noticed that their are about 40 warnings of "BAD TRAFFIC tcp port 0 traffic". They all come from the same IP address which appears to be a Norway ASDL connection.
I have not seen this type of report before so if anyone could shed any light on this i`d be grateful.
September 17th, 2003, 09:15 PM
This should help.
Port 0 OS Fingerprinting
As port 0 is reserved for special use as stated in RFC 1700. Coupled with the fact that this port number is reassigned by the OS, no traffic should flow over the internet use this port. As the specifics are not clear different OS's have, different ways of handling traffic using port 0 thus they can be fingerprinted.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
September 17th, 2003, 09:16 PM
I don't really have an answer to your question but I remember reading about something similar on bugtraq a while back.
That is the email that went out to the "incidents" list.
September 17th, 2003, 09:38 PM
cheers for those links.
I`ve decided just to drop all packets form the IP address, still cant figure out though why their was so many attempts to connect to that port.