Update 2013-11-12: Watch our youtube discussion
Update 2013-11-05: Upon further examination of the traffic we can confirm that a large percentage is destined for TCP port 445. This is indicative of someone looking for nodes running SMB/DCERPC. With that in mind it is extremely likely someone is looking for vulnerable windows machines or it is quite possible that the “soon to be” attackers are looking for boxes compromised by a specific malware variant.
On 2013-11-02 at 01:00 UTC Cisco saw a massive spike in TCP source port zero traffic for three hours. This was the largest spike of reconnaissance activity we’ve seen this year. TCP source port zero is a reserved port according to the RFC and it should not be used. Customers who see port zero activity on their network should consider the traffic suspicious and investigate the source.
This graph displays the magnitude of the number of sensors logging this activity. Normally we see a magnitude of less than 20, this increased five fold on 2013-11-02. There was also an associated massive increase in the volume of traffic observed by signature 24199-0.
Generally speaking port zero traffic can be indicative of a possible reconnaissance attack, and maybe a precursor to more serious penetration attempts. Additionally this traffic can be an attempt to identify network security devices. Various network equipment will respond to this abnormal traffic differently and an attacker may be able to infer which devices a customer is using to protect their network by inspecting this traffic. Similarly different operating systems or even different versions of the same operating system may respond to the use of port zero in different ways. This can help enable the attacker to make a more precise attempt to compromise a network.
Cisco TRAC has correlated the highest volume of traffic from these IP addresses all of which are assigned to Ecatel:
93.174.93.175
80.82.65.237
94.102.63.22
89.248.168.215
89.248.174.80
89.248.160.198
93.174.93.176
89.248.162.236
Customers should be on the look out for this activity. We do not know the intent of these packets. This could be a simple research project to map portions of the internet by operating system and service pack or it could be an attacker preparing to do something nefarious. As we pointed out in our previous blog, “reconnaissance may take place months before the attack begins so look for an increase in scans”. Users should block this port at their firewall, as it serves no legitimate purpose. It is a good best practice to keep an eye on your logs for anomalous behavior.
Thanks to TRAC Threat Researcher Martin Lee for help with this post.
Can you correlate the geographic origin of these packets?
Steve, you can look up the geographic origin by pasting the ip address into our senderbase.org site. example:
http://www.senderbase.org/lookup?search_string=93.174.93.175
In my experience on smaller networks, reconnaissance IPs are not usually where the attacks come from and so it is difficult to know more than ‘we are being scanned’.
John I completely agree. Once “they” have the data they can conduct the attack from a completely different address space. The proper way to deal with this is by blocking as much of the initial reconnaisance so that you are a less entising target. Port zero traffic is quite easy to block with the firewall or even the IPS.
Hi Craig, Martin. I seem to recall that source port 0 traffic was sometimes also seen in certain load-balancer scenarios, but I cannot recall the details on this as it was many years ago that this came across my radar while researching scan activity at a university. Considering the “sore thumb” that source port 0 traffic is, do you think that some attempt at fingerprinting network infrastructure was also performed and was there any other unusual element to the scanning traffic?
Thanks & Cheers,
Curt Wilson
Hi Curt,
It’s entirely possible there is a buggy load balancer out there that uses TCP source port 0. We do normally see a low level of background traffic using this port (note the dots below magnitude 20). The difference here is simply the amount of traffic involved. Yesterday I updated the post with the fact that the majority of the traffic is destined for TCP port 445. You may realize this is the SMB/MSRPC port for Windows – one of the largest remote attack surfaces out there. It’s likely that this is someone looking for windows machines at specific versions/service packs or even boxes that have already been compromised by a specific piece of malware.
Thanks
Craig