There was a recent post on bugtraq about a vulnerability using port 0. I suspect
that folks have now begun to see the "haqrz" running the exploit that was published.
On Sat, Jun 06, 1998 at 01:56:06PM -0400, Jon Lewis wrote:
==>Jun 6 01:00:31 deathstar-ether 1793: %SEC-6-IPACCESSLOGP: list 113 denied
==>udp 192.168.1.2(0) -> 207.30.16.10(0), 3 packets
==>Jun 6 11:09:02 deathstar-ether 1794: %SEC-6-IPACCESSLOGP: list 113 denied
==>udp 192.168.0.1(0) -> 205.229.54.144(0), 6 packets
==>Jun 6 11:15:02 deathstar-ether 1795: %SEC-6-IPACCESSLOGP: list 113 denied
==>udp 192.168.1.2(0) -> 205.245.11.10(0), 2 packets
==>
==>Is anyone else seeing lots of denied packets with port 0 on the dst and
==>src? This looks like some sort of attack. The ones above were denied
==>based on ingress filering (192.168/16 address are invalid for this port),
==>but I've gotten reports from customers that they're seeing similar things
==>with valid addresses and can't see how their access-lists are denying the
==>packets unless it's just because the ports are invalid.
==>
==>
==>------------------------------------------------------------------
==> Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or
==> Network Administrator | drawn and quartered...whichever
==> Florida Digital Turnpike | is more convenient.
==>______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____