Massive Increase in Reconnaissance Activity – Precursor to Attack?
Update 2013-11-12: Watch our youtube discussion
Update 2013-11-05: Upon further examination of the traffic we can confirm that a large percentage is destined for TCP port 445. This is indicative of someone looking for nodes running SMB/DCERPC. With that in mind it is extremely likely someone is looking for vulnerable windows machines or it is quite possible that the “soon to be” attackers are looking for boxes compromised by a specific malware variant.
On 2013-11-02 at 01:00 UTC Cisco saw a massive spike in TCP source port zero traffic for three hours. This was the largest spike of reconnaissance activity we’ve seen this year. TCP source port zero is a reserved port according to the RFC and it should not be used. Customers who see port zero activity on their network should consider the traffic suspicious and investigate the source.
This graph displays the magnitude of the number of sensors logging this activity. Normally we see a magnitude of less than 20, this increased five fold on 2013-11-02. There was also an associated massive increase in the volume of traffic observed by signature 24199-0.
Generally speaking port zero traffic can be indicative of a possible reconnaissance attack, and maybe a precursor to more serious penetration attempts. Additionally this traffic can be an attempt to identify network security devices. Various network equipment will respond to this abnormal traffic differently and an attacker may be able to infer which devices a customer is using to protect their network by inspecting this traffic. Similarly different operating systems or even different versions of the same operating system may respond to the use of port zero in different ways. This can help enable the attacker to make a more precise attempt to compromise a network.
Cisco TRAC has correlated the highest volume of traffic from these IP addresses all of which are assigned to Ecatel:
Customers should be on the look out for this activity. We do not know the intent of these packets. This could be a simple research project to map portions of the internet by operating system and service pack or it could be an attacker preparing to do something nefarious. As we pointed out in our previous blog, “reconnaissance may take place months before the attack begins so look for an increase in scans”. Users should block this port at their firewall, as it serves no legitimate purpose. It is a good best practice to keep an eye on your logs for anomalous behavior.
Thanks to TRAC Threat Researcher Martin Lee for help with this post.