[Dshield] Source port zero...

J Lake jlake at knoxcounty.midcoast.com
Tue Dec 6 16:46:30 GMT 2005


On Sunday 20 November 2005 08:02 pm, dougweb wrote:
> In the last month or more I have had a rash of attacks using  source IP 0.
> These cannot be reported through DShield since the port number is below the
> port number value for reports. The other strange things about these is that
> virtually all of them show my IP as the only victim and each can have from
> 1 to five attempts.
>
> Are these spoofed IP's associated with port zero? The target port are the
> usual 1025 1026.  What might these be?

Someone posted a reply to this problem a couple months ago.
I believe they said it was caused by fragmented packets. The port number only 
shows in the header, not in any of the subsequent fragments. At least
that is what I think was said.

>
> I'm also seeing attempts to reach the bootstrap port from 0.0.0.0.

Unconfigured host trying to get an address via dhcp broadcast?

~J



More information about the list mailing list