Other Port 0

  • Thread starter Thread starter Deleted member 30996
  • Start date Start date
  • Tags Tags
    port 0
D

Deleted member 30996

Guest
Last night I was looking at a security forum and saw someone mention Steve Gibson's Shields Up port scanner site. I know all about Steve Gibson and don't frequent his site, but thought what could it hurt to run an outside scan on the ISP provided cable modem. So I did:

Code: 
GRC Port Authority Report created on UTC: 2021-08-12 at 10:19:12

Results from scan of ports: 0-1055

    0 Ports Open
    1 Ports Closed
 1055 Ports Stealth
---------------------
 1056 Ports Tested

NO PORTS were found to be OPEN.

The port found to be CLOSED was: 0

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

It went into more detail on another page, the Background and Additional Information section of which I found of some interest. I cannot vouch for validity of it:

Port Authority Database

Port 0

Name:
<nil>
Purpose:
Not a valid port number.
Description:
"Port Zero" does not officially exist. It is defined as an invalid port number. But valid Internet packets can be formed and sent "over the wire" to and from "port 0" just as with any other ports.
Related Ports:
-

Background and Additional Information:

The designers of the original Berkeley UNIX "Sockets" interface, upon which much of the technology and practice we use today is based, set aside the specification of "port 0" to be used as a sort of "wild card" port. When programming the Sockets interface, the provision of a zero value is generally taken to mean "let the system choose one for me". Programmers who specify "port 0" know that it is an invalid port. They are asking the operating system to pick and assign whatever non-zero port is available and appropriate for their purpose.

As a result of this programming convention, there has traditionally been no way for Internet Sockets programmers to generate or receive "port 0" Internet traffic. So port zero was set aside and never defined or used. Although times and technology have changed dramatically, port zero has remained something of an unexplored "no mans's land".

However, with the widespread and growing availability of operating systems offering the "Raw Socket" programming interface — which provides the means for deliberately generating port zero packets — the presence and security of "port zero" is of growing importance.
Click to expand...

I have a port 0 rule in my pf ruleset that I've carried over from my Win98 days when using ConSeal PC Firewall:

Code: 
### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

My NetGear commercial router will not accept that rule returning port 0 not a valid port IIRC. My cable modem belongs to Spectrum and I've never been able to gain access to the workings of it. The closest I've gotten was a look inside that indicated there is a password that is changed daily.

I've never had a return on port 0 so I used google-fu on it. It came back with several results, some indicating port 0 used in DDOS attacks and one report of a comment made about it in response to an article on the InfoSec Handlers Diary Blog:
One of our diary readers, Troy, has let us know that he has seen on a number of occasions TCP Port 0 traffic coming from an Akamai caching server farm. If you know why the people over at Akamai are using TCP port 0, or indeed have a packet capture we could examine the please let us know via the contact form.
Click to expand...

Akamai... Now who could be using that? Microsoft?
I believe so... I've posted before about when I entered that port 0 rule into the Win10Pro firewall it blocked Windows Update.

I don't have a Windows box anymore, port 0 is closed on the modem, if a packet got past the modem and the router firewall it wouldn't get past my pf port 0 rule. So this anti-climatic in some sense. For me.

What about you? Are you running a server? Are you counting ports from TCP 1-65535 and UDP 1-65535? Do you block port 0? Is it of any concern to you? Should it be?

You decide.

z3r0trust.medium.com

Socket Programming & the Bizarre TCP/IP Port 0 Saga

*Note: This article was originally published by the author on February 23, 2020.
z3r0trust.medium.com z3r0trust.medium.com

*Link Fixed 1-10-22*

There is a .pdf entitled "The Curious Case of Port 0" that goes into some depth of the DDOS aspect of it using The Gobbler port scanner, which has been ported to OpenBSD. I won't post the link to download the .pdf.

I'm not concerned, but wanted to bring it to your attention. I will be keeping my port 0 rule and not much else I can do about it.
 
Last edited by a moderator:
Just out of curiosity, did you check whether a scrub rule would drop such packages? I think according to the description, it should, as TCP port 0 is clearly "invalid".

Trihexagonal said:
What about you? Are you running a server? Are you counting ports from TCP 1-65535 and UDP 1-65535? Do you block port 0? Is it of any concern to you? Should it be?
Click to expand...
So far, I personally don't care. It's an invalid port number, the system has no way to find an application to pass it to, so what should it do? Anything bad happening upon receiving such a packet would be a really awful bug :oops:

BTW, as for this "stealth" stuff Gibson promotes, I guess it's well known nowadays this is BS (like almost all of his stuff), right? There's no way to "hide" a host as long as the last router on the path to it behaves correctly and sends ICMP "host unreachable" packets back in case the target host is indeed down or does not exist…
 
Zirias said:
Just out of curiosity, did you check whether a scrub rule would drop such packages? I think according to the description, it should, as TCP port 0 is clearly "invalid".
Click to expand...
It's the modem that it's scanning. I don't have Admin rights to it to add a rule or I would add my own.

Zirias said:
So far, I personally don't care. It's an invalid port number, the system has no way to find an application to pass it to, so what should it do? Anything bad happening upon receiving such a packet would be a really awful bug :oops:
Click to expand...
Did you happen to read any of the material I linked to?

This is older stuff from 1999 when I made my rule, both talk about the same thing:


Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host

SecuritySpace - CVE-1999-0675

Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host.
www.securityspace.com www.securityspace.com

It was possible to
crash either the remote host or the firewall
in between us and the remote host by sending
an UDP packet going to port 0.

This flaw may allow an attacker to shut down
your network.

Solution : contact your firewall vendor if
it was the firewall which crashed, or filter
incoming UDP traffic if the remote host crashed.

Risk factor : Medium

CVSS Score:
5.0

Denial of Service : Firewall/1 UDP port 0 DoS

Firewall/1 UDP port 0 DoS;NOSUMMARY
www.securityspace.com www.securityspace.com

Zirias said:
BTW, as for this "stealth" stuff Gibson promotes, I guess it's well known nowadays this is BS (like almost all of his stuff), right?
Click to expand...
I tried to get past this part:

Trihexagonal said:
I know all about Steve Gibson and don't frequent his site...
Click to expand...
I was hanging out at DSLR Security forums when all that BS went on, and that's where I saw it talked about last night. He still talks about ZoneAlarm on his site.

It was not his "stealth" stuff that is the issue. It was port 0 coming back as "closed" that is the issue. That I had never had a port scan return a "port 0 closed" result, not even his, why I brought it up.

I know what a closed state is so no need to tell me it's closed, the door is shut you can't come in type explanation not necessary.

Zirias said:
There's no way to "hide" a host as long as the last router on the path to it behaves correctly and sends ICMP "host unreachable" packets back in case the target host is indeed down or does not exist…
Click to expand...
It used to stop at the telephone pole outside my house when I had dial-up.

I'm not going to explain for him the difference between it showing the host as up, down or non-existing. Does not exist what he calls stealth.
 
I'll PM you my IP# if you like.

Sevendogsbsd said:
As an aside, Akamai is used all over the web but I am not sure it is specifically a Microsoft technology. It's just web caching servers based on geographical region, as far as I understand it.
Click to expand...
It's not a Microsoft technology. I said they used, utilized, Akamai to deliver their updates.

That they were using port 0 to do it through something I brought up with ronaldlees a couple years ago, being at least one time I mentioned it. Then came back and told him somebody else was talking about port 0 at another site.

I was hoping you'd show up so you might be able to provide us with first-hand knowledge as a pen tester.

Anybody with a Win10 box can enter a TCP and UDP port 0 rule to see if it does indeed stop MS updates. I watched it happen and disabled the rule to watch it update once I had.
 
I'll play around with nmap at work - I've got some resources I can scan. Network pen testing is not my wheelhouse but I understand it so will report back anything interesting.

Sorry, misunderstood your earlier statement about Microsoft and Akamai.
 
So, ran an nmap -d -d on an asset external to my work environment running RHEL 7.9 and it showed ports from 1 to whatever showing closed. No port 0. Interesting. I suspect I would need to do this so the scan is against the asset itself without a firewall in place.
 
If Steve Gibson's scan is truthful you should see a closed port 0 on my cable modem. I'll try that command later, I used nmap -Pn 0 -T4 -A -v 192.168.0.1 this morning but that wasn't right.

Code: 
Nmap scan report for 192.168.0.1
Host is up.
All 1000 scanned ports on 192.168.0.1 are filtered
 
I got out my nmap cookbook. This is sending a raw socket packet to port 0:

Netgear router:
Code: 
root@bakemono:/ # nmap --send-eth -p 0 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-12 23:58 CDT
Nmap scan report for 192.168.1.1
Host is up (0.00036s latency).

PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: de:ad:be:ef:b0:0b (Netgear)

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
root@bakemono:/ #

Regular packet to the router:
Code: 
root@bakemono:/ # nmap -p 0 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-13 00:59 CDT
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.1.1, 16) => Permission denied
Offending packet: TCP 192.168.1.5:40483 > 192.168.1.1:0 S ttl=42 id=6027 iplen=44  seq=516739711 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.1.1, 16) => Permission denied
Offending packet: TCP 192.168.1.5:40484 > 192.168.1.1:0 S ttl=51 id=48092 iplen=44  seq=516805246 win=1024 <mss 1460>
Nmap scan report for 192.168.1.1
Host is up (0.00029s latency).

PORT  STATE    SERVICE
0/tcp filtered unknown
MAC Address: A0:04:60:28:0D:97 (Netgear)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
root@bakemono:/ #

Cable modem raw packet:
Code: 
root@bakemono:/ nmap -Pn --send-eth -p 0 192.168.0.1
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-13 00:12 CDT
Nmap scan report for 192.168.0.1
Host is up.

PORT  STATE    SERVICE
0/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.14 seconds
root@bakemono:/ #

The router responded to a raw packet and showed port 0 as closed. A firewall is running on it but not very well.
The cable modem did not respond to a raw packet to port 0 and returned filtered. A firewall must be running on it.
 
I found a new link just put up yesterday by the original author and fixed it..
 
You must log in or register to reply here.
Back
Top