Cyber Security Awareness Month - Day 2 - Port 0
The second day of Cybersecurity Awareness Month is dedicated to the strange, and anomalous port number, 0.
IANA have entries for both TCP and UDP packets defined within their range of assigned ports at : http://www.iana.org/assignments/port-numbers
Decimal Description
------- -----------
0/tcp Reserved
0/udp Reserved
As you can see, both are defined as being reserved.
However, there is a lesser known definition for port 0 which is:
spr-itunes 0/tcp Shirt Pocket netTunes
spl-itunes 0/tcp Shirt Pocket launchTunes
which causes confusion when some /etc/services files have the itunes (nothing to do with Apple) and commands will show the spr-itunes service as being in use.
The use of TCP port 0 was first introduced (as far as I can find) with the documentation of RFC675 where they state that :
It is possible to specify a socket only partially by setting the PORT
identifier to zero or setting both the TCP and PORT identifiers to
zero. A socket of all zero is called UNSPECIFIED. The purpose behind
unspecified sockets is to provide a sort of "general delivery"
facility [useful for logger type processes with well known sockets].
So this would have resulted in a packet which was 0.0.0.0:0 or, x.x.x.x:0 where x.x.x.x is a valid IP address.
So, when do we see port 0 in use? Well, for no valid reason I know of.
Indeed, many IDS systems provide signatures to detect packets which have port numbers of 0, for example:
"alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)"
To break down this Snort IDS signature, we have a TCP flow from any system to any system where the destination port number is 0.
Other handlers have pondered on where such packets come from such as : isc.sans.org/diary.html?storyid=556
but we also know that such packets can be created by tools such as hping3.
So, have you seen TCP 0 on your network and found a valid reason for it being there? If so, drop us a line via the contact form, and i'll update the diary with those uses.
Update:
One of our diary readers, Troy, has let us know that he has seen on a number of occasions TCP Port 0 traffic coming from an Akamai caching server farm. If you know why the people over at Akamai are using TCP port 0, or indeed have a packet capture we could examine the please let us know via the contact form.
×
Diary Archives
Comments
JeffSoh
Oct 2nd 2009
1 decade ago
JeffSoh
Oct 2nd 2009
1 decade ago
martclau
Oct 3rd 2009
1 decade ago
Shawn
Oct 6th 2009
1 decade ago