Networking

Dayton's Den


Categories
Useful Links
Blog Administration

Sticky Postings

TCP/UDP Ports Posted by Jason Robertson in Networking, TCP/UDP Ports on Saturday, February 16. 2013
Last modified on 2014-08-02 10:51

TCP/UDP Ports

 TCP and UDP Port Information 

 Port

IANA Description

 TCP

UDP

Broadcast

 0

Reserved

Info

22

Secure Shell (SSH)

Info

Info

 

23

Telnet

Info (Offsite)

 

 

25

SMTP

Info (Offsite)

 

 

80

Hypertext Transport Protocol (HTTP)

Info

 

 

109

Post Office Protocol v2 (POP2 Obsolete)

Info (Offsite)

 

 

110

Post Office Protocol v3 (POP3)

Info (Offsite)

 

 

137

NetBIOS Name Service

 

Info

Info

138

NetBIOS Datagram Service

 

Info

 

139

NetBios Session Service

Info

 

 

143

Internet Message Access Protocol (IMAP)

Info

 

 

443

Secure Hypertext Transport Protocol (HTTPS)

Info

 

 
993 Secure Internet Message Access Protocol (IMAPS) Info    
995 Secure Post Office Protocol v3 (POP3S) Info (Offsite)    

8080

Hypertext Transport Protocol - Alternate (HTTP)

Info

 

 

 47474

Unregistered

 

Info

 

ICMP Type and Code information

Type

Code

Description

0

0

Echo Reply used with Echo Request ICMP 8/0

3

-

Destination Unreachable

4

0

Source Quench - used as a congestion control mechanism.

8

0

Echo Request.

11

0

TTL Expired in Transit

13

0

Timestamp Request

14

0

Timestamp Response

 

 

Saturday, February 16. 2013

TCP Port 80 Posted by Jason Robertson in TCP/UDP Ports at 16:09
Last modified on 2013-02-16 16:31

TCP Port 80

Description:

The HTTP Protocol, is a Response-Request protocol, that was created for distributed, collabrative information system.  Information is formatted using HTML

 

Links

  • Wikipedia - Description of the HTTP Protocol.
  • W3C - The Standards Body for the Web Protocols

 

Tuesday, May 17. 2011

UDP Port 22 Posted by Jason Robertson in TCP/UDP Ports at 10:26
Last modified on 2014-08-02 11:03

UDP Port 22

Description:

UDP port 22, was commonly used for PCAnywhere status checks upto version 7.51, but this has been changed since that version.  It is also assigned to be used by SSH, but I do not know of any server or client that uses this. 

 

Causes:

Currently the only known cause to see traffic to this port would be if you are running a version of PCAnywhere version 7.51 or older.  But this does not mean that Trojans may not use it.

Suggestions:

 - Upgrade PCAnywhere, if running on the network.

Friday, June 26. 2009

ICMP Type 0 - Echo Reply Posted by Jason Robertson in TCP/UDP Ports at 09:24
Last modified on 2014-08-02 11:05

ICMP Type 0 - Echo Reply

Common Name:
  • ICMP Echo Reply
Sample Trace:

None at this moment.

Description:

ICMP Type 0, has only the sub-code 0, also known as the ICMP Echo Reply, is the response ICMP type for ICMP echo requests, or pings. You should not see these coming in bound without corresponding outbound traffic. As well the data received under this, should close to the same amount of data sent by the ICMP echo request. Also this should only have a sub-code of 0, as there is no other sub-code assigned to ICMP Type 0.

This at one point was used by malware, TFN, TFN2K and Stacheldraht. These used ICMP Echo requests and replies, to transfer commands between the clients and deamons. These programs may also create a great deal of traffic that does not have a source address from your internal network.

Causes:

Normally it’s seen as in day to day traffic, for troubleshooting.

Suggestions:
  • If you can do it, block this protocol inbound and outbound. If this is not a possibility limit who can do it. Some stateful firewalls, will monitor outbound traffic and allow for corresponding inbound traffic, including ICMP echo request to ICMP echo reply.
  • If your firewall has the capability limit the size and the ICMP codes that are considered valid, and drop the rest of the echo reply requests.
  • In general, your router and firewall should disallow traffic outbound that is not from your internal network to be sent.
  • Run an IDS on the network to allow you to detect these strange traffic, many can now detect this type of malware.

Links

W3C – Securing against Denial of Service Attacks
packetstormsecurity - TFN2K Analysis

 

Thursday, June 25. 2009

TCP/UDP Port 0 Posted by Jason Robertson in TCP/UDP Ports at 07:59
Last modified on 2021-11-06 12:53

TCP/UDP Port 0

Sample Trace:
No Trace available 
Description:

TCP/UDP port 0, is a reserved port, it should not be seen in the real world.  This port sometimes is used in networking programming, where the system is used to dynamically assign the next available port, though this does not work in windows programming.

 
Causes:
The places you will often see this, will be in either firewall logs, or summaries of firewall logs.  This is often due to the fact that the software has tried to standardize the output. This is also compounded with the fact that there is an ICMP response 0, which is an echo reply.
 
You may also see this port due to a vulnerability that would cause a Checkpoint Firewall-1 to crash.

 

Suggestions:
If you are running Checkpoint Firewall-1, make sure you have upgraded, to a newer version.  If you are running a program that is creating packets destined for this port, you should contact the vendor regarding this, as you should not see this.
If it's within the firewall logs, or summaries you can contact the developers or vendors to add this information, but this is not always a critical issue for these organizations. 
 
Links:
  • OSVDB - Information on vulnerability that caused a Checkpoint Firewall-1 to crash. 
  • About -  Information regarding Port 0 from About.com.

Tuesday, June 23. 2009

TCP Port 22 Posted by Jason Robertson in TCP/UDP Ports at 08:43
Last modified on 2014-08-02 11:06

TCP Port 22

Sample Trace:
06:29:38.496457 IP 192.168.10.123.1237 > 192.168.10.22.22: S 3385009596:3385009596(0) win 16384 <mss 1460,nop,nop,sackOK>

Description:

TCP port 22, is commonly used for SSH versions 1 and 2.  SSH or Secure Shell, is a network protocol, which allows for data to be exchanged in a secure and encrypted channel.  SSH is commonly used to run command line applications, but SSH may also allow for Tunneling of TCP Protocols, as well as X11 packets.
Other functions in SSH is are the capabilities of SCP (Secury Copy), SFTP (Secure FTP) and RSH capabilities.
Authentication for SSH can be done with SSH Keys, which can allow for password-less secured authentication (though this key can also be set with a password), or password authenticated, the latter is less secure, as it can still allow for man-in-the-middle attacks.
SSH v1, should be considered obsolete as there is an inherit weakness in the implementation of version 1.  A second SSH inherit weakness in the protocol is the requirement to trust the SSH Public Keys generated by the user or for the server, so trust is required by both the server administrator and the remote user.

 

Causes:
Recently there has been ongoing scans for this port that when an live server is found, it attempts to brute force passwords, for common accounts including root.  I've personally seen upto 2000 failed connections in a 24 hour period.
 
Suggestions:
Disable SSH V1, this protocol is to be considered obsolete.
Disable SSH Root Access, root should never have direct remote access.
If possible, disable Password authentication.
If possible, move the listening port to another port to reduce the brute force attacks.
Ratelimit incoming connections, on a firewall (on linux iptables' limit, and state modules).
If password authentication is still being used, think of using pam_tally (linux), denyhosts, pam_abl (linux, and you need to use the development code with the latest) to limit brute force attempts.
Secure the user accounts, you can use rbash, or you can chroot the accounts (though this could be a great deal of work).
Links
  • Wikipedia - Wikipedia Entry on SSH
  • OpenSSH - The most common SSH Server in use today.
  • Incidents.org - This is graph of current port scans for SSH Services.

Saturday, February 3. 2007

UDP Broadcasts to Port 47474 Posted by Jason Robertson in TCP/UDP Ports at 19:37
Last modified on 2014-08-02 11:07

UDP Broadcasts to Port 47474

Sample trace:
IP w.x.y.z.2000 > 255.255.255.255.47474: UDP, length yyy

Description:
This is a UDP broadcast packet that you may see on your network, every 10 minutes, from 1 or more machines.  It has come to my attention that this may also be used with bittorrent, but from what I can tell it is not normal, I will look into this.
 
Cause:
This is caused by the Esker License Service, which broadcasts out to find all licensed copies of Esker products on the local network.  This process runs every 10 minutes, while systems are running this service.

Suggestions
Well there is not much I can say about this, you can not disable the service, or the Esker products running on the system will stop working.  Things which do work (but remember licenses may not allow them):
  • Filter on system's outbound traffic.
  • Filter on a L3 aware switch.
  • Switch from Esker products.
  • Live with it.
Recommendations for Esker
  • Multicast is your friend, use the Multicast.
  • Create a license server.
If you are a Network Administrator, block outbound traffic to 255.255.255.255 the world doesn't need to see this traffic.
Links
« previous page   (Page 1 of 1, totaling 7 entries)   next page »
Frontpage