Port "0" scanning

We are noticing a massive increase in connections from Port "8" on external
machines to Port "0" on our machine. We are getting roughly 4,000 per day.
My logs suggest most of the increase is from computers on our DSL subnet. A
sample entry is:

<SAMPLE>
Sep 9 01:02:50 hurl kernel: Packet log: input ACCEPT eth0 PROTO=1
xxx.xxx.xxx.xxx:8 xxx.xxx.xxx.xxx:0 L=92 S=0x00 I=59720 F=0x0000 T=125 (#5)
<END SAMPLE>

I have tried scanning my ports externally and get reports that the port is
not available. My computer is running SUSE Linux 7.2 with the firwall turned
running. Interestingly, our WinXP boxes do not show the same kind of
activity in their logs.

I really have two questions.

Is there a way to stop ACCEPTing these connections?

Activity increased after the latest email virus hit. Is it possible this
kind of activity is part of a denial of service attack which is not intended
to cripple specific machines, but to cripple the internet in general? We are
experiencing an overall sluggishness in internet responsiveness in recent
days.

Fred_McGriff

Fred_McGriff wrote:

> We are noticing a massive increase in connections from Port "8" on external
>machines to Port "0" on our machine. We are getting roughly 4,000 per day.
> My logs suggest most of the increase is from computers on our DSL subnet. A
>sample entry is:

It isn't port 8 & 0, it's type 8 & 0.

><SAMPLE>
>Sep 9 01:02:50 hurl kernel: Packet log: input ACCEPT eth0 PROTO=1
>xxx.xxx.xxx.xxx:8 xxx.xxx.xxx.xxx:0 L=92 S=0x00 I=59720 F=0x0000 T=125 (#5)
><END SAMPLE>

Looking at the length (92), that tells me it's probably the variant of
the Blaster worm that's supposed to patch susceptible machines.

> I really have two questions.
>
> Is there a way to stop ACCEPTing these connections?

Yes, drop incoming, unsolicited ICMP ping requests. Simple.

> Activity increased after the latest email virus hit. Is it possible this
>kind of activity is part of a denial of service attack which is not intended
>to cripple specific machines, but to cripple the internet in general? We are
>experiencing an overall sluggishness in internet responsiveness in recent
>days.

You'd have to ask the writer of the worm.

The Saint

> > We are noticing a massive increase in connections from Port "8" on
external
> >machines to Port "0" on our machine. We are getting roughly 4,000 per
day.
> > My logs suggest most of the increase is from computers on our DSL
subnet. A
> >sample entry is:
>
> It isn't port 8 & 0, it's type 8 & 0.
>
> ><SAMPLE>
> >Sep 9 01:02:50 hurl kernel: Packet log: input ACCEPT eth0 PROTO=1
> >xxx.xxx.xxx.xxx:8 xxx.xxx.xxx.xxx:0 L=92 S=0x00 I=59720 F=0x0000 T=125
(#5)
> ><END SAMPLE>

So, this log entry:

Sep 9 01:00:37 hurl kernel: Packet log: input ACCEPT eth0 PROTO=6
xxx.xxx.xxx.xxx:58188 xxx.xxx.xxx.xxx:80 L=60 S=0x00 I=52194 F=0x4000 T=49
SYN (#14)

is for incoming type 58188 and type 80 not port 58188 on the external
machine and port 80 on my machine? If so, what is the practical difference
between calling it a type instead of a port?

> > Is there a way to stop ACCEPTing these connections?
>
> Yes, drop incoming, unsolicited ICMP ping requests. Simple.

How does one instruct SUSE Linux to do this? I must be blind because my
searches for help have drawn blanks during the past couple of months --
hence my decision to try here.

Fred_McGriff

"Fred_McGriff" <> wrote in message
news:Kio8b.117117$kW.63263@edtnps84...
> > > We are noticing a massive increase in connections from Port "8" on
> external
> > >machines to Port "0" on our machine. We are getting roughly 4,000 per
> day.
> > > My logs suggest most of the increase is from computers on our DSL
> subnet. A
> > >sample entry is:
> >
> > It isn't port 8 & 0, it's type 8 & 0.
> >
> > ><SAMPLE>
> > >Sep 9 01:02:50 hurl kernel: Packet log: input ACCEPT eth0 PROTO=1
> > >xxx.xxx.xxx.xxx:8 xxx.xxx.xxx.xxx:0 L=92 S=0x00 I=59720 F=0x0000 T=125
> (#5)
> > ><END SAMPLE>
>
> So, this log entry:
>

I get this too, as The Saint said, these are ping requests. They come from
various viruses trying to know which hosts are "alive". My average is
5/minutes
on my home PPPoE link.


> Sep 9 01:00:37 hurl kernel: Packet log: input ACCEPT eth0 PROTO=6
> xxx.xxx.xxx.xxx:58188 xxx.xxx.xxx.xxx:80 L=60 S=0x00 I=52194 F=0x4000 T=49
> SYN (#14)
>
> is for incoming type 58188 and type 80 not port 58188 on the external
> machine and port 80 on my machine? If so, what is the practical difference
> between calling it a type instead of a port?
>

These are TCP packets. You may know the difference by looking at the
"PROTO" filed, which indicates 6 here (TCP) and 1 for the other (ICMP).

TCP is used to create virtual "connections" on IP protocol. ICMP is used
to tell other hosts what happens, usually when a problems occurs.

You may know which number is what on IANA web site :
http://www.iana.org/assignments/protocol-numbers

TCP uses ports instead of type and codes. List of ports and their standards
is here : http://www.iana.org/assignments/port-numbers

Now this line indicate that someone is trying to access a web server on
your host (destination port 80).


> > > Is there a way to stop ACCEPTing these connections?
> >
> > Yes, drop incoming, unsolicited ICMP ping requests. Simple.
>
> How does one instruct SUSE Linux to do this? I must be blind because my
> searches for help have drawn blanks during the past couple of months --
> hence my decision to try here.
>
>


I think you should take a look on "iptables" or "netfilter" documentation.
This is a built-in firewall for linux kernel, and should always be
configured
properly.

Alot of information on this :
www.netfilter.org


Hope it helps

Max

Maxime Ducharme

> > > > We are noticing a massive increase in connections from Port "8" on
> > external
> > > >machines to Port "0" on our machine. We are getting roughly 4,000 per
> > day.
> > > > My logs suggest most of the increase is from computers on our DSL
> > subnet. A
> > > >sample entry is:
>
> I get this too, as The Saint said, these are ping requests. They come from
> various viruses trying to know which hosts are "alive". My average is
> 5/minutes
> on my home PPPoE link.

> > > > Is there a way to stop ACCEPTing these connections?
> > >
> > > Yes, drop incoming, unsolicited ICMP ping requests. Simple.
> >

Thank you for your help and patience. I finally figured it out. As always,
these things become clearer once I come here or other news groups and
display my ignorance. Under SUSE firewall, you can turn off ICMP in
firewall.rc.config as follows:

# Allow ping on firewall
FW_ALLOW_PING_FW="no"
# Allow ping on DMZ targets
FW_ALLOW_PING_DMZ="no"

While some of these are pings from viruses, some organizations who were
pinging us in the past claim they are doing so to verify that our server is
up and running and the status of the connection so that they can do a better
job of servicing the needs of their customers who are also trying to access
our website.
With that in mind, is that a good enough reason to keep accepting these
ping requests? Is there ever a valid reason to accept ping requests these
days? Would dropping them make a difference?

Fred_McGriff

Fred_McGriff wrote:

> With that in mind, is that a good enough reason to keep accepting these
>ping requests? Is there ever a valid reason to accept ping requests these
>days? Would dropping them make a difference?

Normally, it's not unacceptable to accept pings, but now I drop all
unsolicited pings. I do, however, allow select types, like Type 3
(dest unreachable, etc.) but with a very carefully crafted ruleset.

The Saint