Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 2 - Port 0

Published: 2009-10-02
Last Updated: 2009-10-02 18:59:20 UTC
by Stephen Hall (Version: 1)
4 comment(s)

The second day of Cybersecurity Awareness Month is dedicated to the strange, and anomalous port number, 0.

IANA have entries for both TCP and UDP packets defined within their range of assigned ports at : http://www.iana.org/assignments/port-numbers
 
Decimal    Description
-------    -----------
0/tcp      Reserved
0/udp      Reserved
 
As you can see, both are defined as being reserved.
 
However, there is a lesser known definition for port 0 which is:
 
spr-itunes        0/tcp    Shirt Pocket netTunes
spl-itunes        0/tcp    Shirt Pocket launchTunes
 
which causes confusion when some /etc/services files have the itunes (nothing to do with Apple) and commands will show the spr-itunes service as being in use.
 
The use of TCP port 0 was first introduced (as far as I can find) with the documentation of RFC675 where they state that :
 
   It is possible to specify a socket only partially by setting the PORT
   identifier to zero or setting both the TCP and PORT identifiers to
   zero. A socket of all zero is called UNSPECIFIED. The purpose behind
   unspecified sockets is to provide a sort of "general delivery"
   facility [useful for logger type processes with well known sockets].
 
So this would have resulted in a packet which was 0.0.0.0:0 or, x.x.x.x:0 where x.x.x.x is a valid IP address.
 
So, when do we see port 0 in use? Well, for no valid reason I know of.
 
Indeed, many IDS systems provide signatures to detect packets which have port numbers of 0, for example:
 
"alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)"
 
To break down this Snort IDS signature, we have a TCP flow from any system to any system where the destination port number is 0.
 
Other handlers have pondered on where such packets come from such as : isc.sans.org/diary.html?storyid=556
 but we also know that such packets can be created by tools such as hping3.
 
So, have you seen TCP 0 on your network and found a valid reason for it being there? If so, drop us a line via the contact form, and i'll update the diary with those uses.
 
Update:
 
One of our diary readers, Troy, has let us know that he has seen on a number of occasions TCP Port 0 traffic coming from an Akamai caching server farm. If you know why the people over at Akamai are using TCP port 0, or indeed have a packet capture we could examine the please let us know via the contact form.
 
4 comment(s)
Diary Archives