[Dshield] Source port zero...
jlake at knoxcounty.midcoast.com
Tue Dec 6 16:46:30 GMT 2005
On Sunday 20 November 2005 08:02 pm, dougweb wrote:
> In the last month or more I have had a rash of attacks using source IP 0.
> These cannot be reported through DShield since the port number is below the
> port number value for reports. The other strange things about these is that
> virtually all of them show my IP as the only victim and each can have from
> 1 to five attempts.
> Are these spoofed IP's associated with port zero? The target port are the
> usual 1025 1026. What might these be?
Someone posted a reply to this problem a couple months ago.
I believe they said it was caused by fragmented packets. The port number only
shows in the header, not in any of the subsequent fragments. At least
that is what I think was said.
> I'm also seeing attempts to reach the bootstrap port from 0.0.0.0.
Unconfigured host trying to get an address via dhcp broadcast?
More information about the list