port number zero (TCP/UDP)

Printable View

April 26th, 2004, 07:04 PM
slarty

port number zero (TCP/UDP)

Here's a funny one.

Following on from the "IP 0.0.0.0" thread...

IS port number 0 legal as a source or destination port in TCP/ UDP ?

This I know:

1. It is impossible using the BSD sockets API (or anything derived from it), to bind a socket to port 0 (because it is a placeholder for "let the OS choose"). So using it as a source port or listening port is right out.
2. Therefore, if everyone in the world was using BSD sockets exclusively, it would be pointless to send or connect to port 0, as nobody else would be able to bind to it.
3. It is probably possible using lower level sockets API to send and receive TCP or UDP frames to/from port 0, provided your code sorts the tcp checksums out

- Is there any known use for it (legitimate or otherwise (for instance by trojans))
- Will these packets be dropped by some routers (i.e. non-firewalling routers which let most stuff through) as illegal?
- Does it get NAT'd correctly by DNAT boxes?

NB: I can do experiments to try and determine some of these things.

Slarty
April 26th, 2004, 07:39 PM
PM8228

I was pretty sure port 0 would let you determine the OS, or at least give you a patern for it. That is I what I got from reading some stuff on nmap and I know not a lot about networking.

-Cheers-
April 26th, 2004, 07:48 PM
Tiger Shark

Just a quick observation without the science to back it up but Snort alerts on it..... You don;'t make Snort rules for something that is utterly harmless..... If I remember I'll go look and see why.

[Edit]

You know, sometimes, good questions are more valuable than good answers.... Nice one Slarty..... ;)

[/Edit]

[re-Edit]

Looks like there are a couple of things out there. Zero is a reserved port as stated and demonstrated in this link. The RFC, (1700), refered to in that document confirms that port zero is reserved.

The interesting part about the document is the OS fingerprinting part that PM(?) mentioned. and thus the reason for the Snort rules.

And as I mentioned above about good questions being better then good answers sometimes I found out and answer as to why my Win2k box scanned by SecuritySpace and others keeps coming up as a Linux box......

Quote:

Unfortunalty both MS Windows 2000 and Linux have the same port 0 fingerprint, relpying to all 7 tests.

That's why good questions are sometimes better then good answers.... They can lead to the answers to other questions...... :cool:

[/re_Edit]