Useful Links
|
Sticky Postings
TCP/UDP Ports Posted by Jason Robertson
in Networking, TCP/UDP Ports on
Saturday, February 16. 2013
Last modified on 2014-08-02 10:51
TCP/UDP PortsTCP and UDP Port Information
ICMP Type and Code information
Saturday, February 16. 2013Tuesday, May 17. 2011UDP Port 22Description: UDP port 22, was commonly used for PCAnywhere status checks upto version 7.51, but this has been changed since that version. It is also assigned to be used by SSH, but I do not know of any server or client that uses this.
Causes: Currently the only known cause to see traffic to this port would be if you are running a version of PCAnywhere version 7.51 or older. But this does not mean that Trojans may not use it. Suggestions: - Upgrade PCAnywhere, if running on the network. Friday, June 26. 2009
ICMP Type 0 - Echo Reply Posted by Jason Robertson
in TCP/UDP Ports at
09:24
Last modified on 2014-08-02 11:05
ICMP Type 0 - Echo ReplyCommon Name:
Sample Trace:
None at this moment. Description: ICMP Type 0, has only the sub-code 0, also known as the ICMP Echo Reply, is the response ICMP type for ICMP echo requests, or pings. You should not see these coming in bound without corresponding outbound traffic. As well the data received under this, should close to the same amount of data sent by the ICMP echo request. Also this should only have a sub-code of 0, as there is no other sub-code assigned to ICMP Type 0. This at one point was used by malware, TFN, TFN2K and Stacheldraht. These used ICMP Echo requests and replies, to transfer commands between the clients and deamons. These programs may also create a great deal of traffic that does not have a source address from your internal network. Causes: Normally it’s seen as in day to day traffic, for troubleshooting. Suggestions:
Thursday, June 25. 2009
TCP/UDP Port 0 Posted by Jason Robertson
in TCP/UDP Ports at
07:59
Last modified on 2021-11-06 12:53
TCP/UDP Port 0Sample Trace:
No Trace available
Description:
TCP/UDP port 0, is a reserved port, it should not be seen in the real world. This port sometimes is used in networking programming, where the system is used to dynamically assign the next available port, though this does not work in windows programming. Causes:
The places you will often see this, will be in either firewall logs, or summaries of firewall logs. This is often due to the fact that the software has tried to standardize the output. This is also compounded with the fact that there is an ICMP response 0, which is an echo reply.
You may also see this port due to a vulnerability that would cause a Checkpoint Firewall-1 to crash.
Suggestions:
If you are running Checkpoint Firewall-1, make sure you have upgraded, to a newer version. If you are running a program that is creating packets destined for this port, you should contact the vendor regarding this, as you should not see this.
If it's within the firewall logs, or summaries you can contact the developers or vendors to add this information, but this is not always a critical issue for these organizations.
Links:
Tuesday, June 23. 2009TCP Port 22Sample Trace:
06:29:38.496457 IP 192.168.10.123.1237 > 192.168.10.22.22: S 3385009596:3385009596(0) win 16384 <mss 1460,nop,nop,sackOK>
Description: TCP port 22, is commonly used for SSH versions 1 and 2. SSH or Secure Shell, is a network protocol, which allows for data to be exchanged in a secure and encrypted channel. SSH is commonly used to run command line applications, but SSH may also allow for Tunneling of TCP Protocols, as well as X11 packets.
Other functions in SSH is are the capabilities of SCP (Secury Copy), SFTP (Secure FTP) and RSH capabilities.
Authentication for SSH can be done with SSH Keys, which can allow for password-less secured authentication (though this key can also be set with a password), or password authenticated, the latter is less secure, as it can still allow for man-in-the-middle attacks.
SSH v1, should be considered obsolete as there is an inherit weakness in the implementation of version 1. A second SSH inherit weakness in the protocol is the requirement to trust the SSH Public Keys generated by the user or for the server, so trust is required by both the server administrator and the remote user.
Causes:
Recently there has been ongoing scans for this port that when an live server is found, it attempts to brute force passwords, for common accounts including root. I've personally seen upto 2000 failed connections in a 24 hour period.
Suggestions:
Disable SSH V1, this protocol is to be considered obsolete.
Disable SSH Root Access, root should never have direct remote access.
If possible, disable Password authentication.
If possible, move the listening port to another port to reduce the brute force attacks.
Ratelimit incoming connections, on a firewall (on linux iptables' limit, and state modules).
If password authentication is still being used, think of using pam_tally (linux), denyhosts, pam_abl (linux, and you need to use the development code with the latest) to limit brute force attempts.
Secure the user accounts, you can use rbash, or you can chroot the accounts (though this could be a great deal of work).
Links
Saturday, February 3. 2007
UDP Broadcasts to Port 47474 Posted by Jason Robertson
in TCP/UDP Ports at
19:37
Last modified on 2014-08-02 11:07
UDP Broadcasts to Port 47474Sample trace:
IP w.x.y.z.2000 > 255.255.255.255.47474: UDP, length yyy
Description: This is a UDP broadcast packet that you may see on your network, every 10 minutes, from 1 or more machines. It has come to my attention that this may also be used with bittorrent, but from what I can tell it is not normal, I will look into this.
Cause:
This is caused by the Esker License Service, which broadcasts out to find all licensed copies of Esker products on the local network. This process runs every 10 minutes, while systems are running this service.
Suggestions Well there is not much I can say about this, you can not disable the service, or the Esker products running on the system will stop working. Things which do work (but remember licenses may not allow them):
Recommendations for Esker
If you are a Network Administrator, block outbound traffic to 255.255.255.255 the world doesn't need to see this traffic.
Links
|