Abstract
Internet services leverage transport protocol port numbers to specify the source and destination application layer protocols. While using port 0 is not allowed in most transport protocols, we see a non-negligible share of traffic using port 0 in the Internet.
In this study, we dissect port 0 traffic to infer its possible origins and causes using five complementing flow-level and packet-level datasets. We observe 73 GB of port 0 traffic in one week of IXP traffic, most of which we identify as an artifact of packet fragmentation. In our packet-level datasets, most traffic is originated from a small number of hosts and while most of the packets have no payload, a major fraction of packets containing payload belong to the BitTorrent protocol. Moreover, we find unique traffic patterns commonly seen in scanning. In addition to analyzing passive traces, we also conduct an active measurement campaign to study how different networks react to port 0 traffic. We find an unexpectedly high response rate for TCP port 0 probes in IPv4, with very low response rates with other protocol types. Finally, we will be running continuous port 0 measurements and providing the results to the measurement community.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that due to the nature of traceroute measurements, missing traceroute responses could stem either from filtered packets on the forward path, rate-limiting of ICMP packets at the routers, as well as dropping of ICMP responses on the return path.
References
ACM: Artifact Review and Badging (2020). https://www.acm.org/publications/policies/artifact-review-badging
Aitken, P.: RFC Erratum 1738 (2009). http://www.rfc-editor.org/errata_search.php?eid=1738
Alcock, S., Nelson, R.: Libprotoident: traffic classification using lightweight packet inspection. WAND Network Research Group, Technical report (2012)
Asghari, H.: pyasn on Github (2018). https://github.com/hadiasghari/pyasn
AT&T: Broadband Information - Network Practices (2020). https://about.att.com/sites/broadband/network
Backes, M., Holz, T., Rossow, C., Rytilahti, T., Simeonovski, M., Stock, B.: On the feasibility of TTL-based filtering for DRDoS mitigation. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 303–322. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_14
Beverly, R.: Yarrp’ing the internet: randomized high-speed active topology discovery. In: Proceedings of the Internet Measurement Conference, pp. 413–420 (2016)
Bou-Harb, E., Debbabi, M., Assi, C.: On fingerprinting probing activities. Comput. Secur. 43, 35–48 (2014). https://doi.org/10.1016/j.cose.2014.02.005. http://www.sciencedirect.com/science/article/pii/S0167404814000248
Bou-Harb, E., Lakhdari, N.E., Binsalleeh, H., Debbabi, M.: Multidimensional investigation of source port 0 probing. Digit. Investig. 11, S114–S123 (2014)
Bykova, M., Ostermann, S.: Statistical analysis of malformed packets and their origins in the modern internet. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurment, IMW 2002, pp. 83–88. Association for Computing Machinery, New York (2002). https://doi.org/10.1145/637201.637211
CAIDA: The CAIDA Anonymized Internet Traces Data Access (2019). https://www.caida.org/data/passive/passive_dataset_download.xml
CAIDA: A Day in the Life of the Internet (DITL) (2020). https://www.caida.org/projects/ditl/
CAIDA: Routeviews Prefix-to-AS mappings (pfx2as) for IPv4 and IPv6 (2020). http://data.caida.org/datasets/routing/routeviews-prefix2as/
Czyz, J., Luckie, M., Allman, M., Bailey, M., et al.: Don’t forget to lock the back door! A characterization of IPv6 network security policy. In: Proceedings of the Network and Distributed Systems Security Symposium (2016)
Dittrich, D., et al.: The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. US DHS (2012)
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the 22nd USENIX Security Symposium, pp. 605–620 (2013)
Fischer, D.: nanog mailing list: TCP and UDP Port 0 - Should an ISP or ITP Block it? (2020). https://mailman.nanog.org/pipermail/nanog/2020-August/209228.html
Gasser, O.: Analysis scripts and raw data for active port 0 measurements (2021). https://doi.org/10.17617/3.5f
Gasser, O., et al.: Clusters in the expanse: understanding and unbiasing IPv6 hitlists. In: Proceedings of the Internet Measurement Conference, pp. 364–378 (2018)
Gasser, O., et al.: IPv6 Hitlist Service (2018). https://ipv6hitlist.github.io/
Gasser, O., Scheitle, Q., Gebhard, S., Carle, G.: Scanning the IPv6 internet: towards a comprehensive hitlist. In: Proceedings of the Traffic Monitoring and Analysis Workshop (2016)
Hallman, R., Bryan, J., Palavicini, G., Divita, J., Romero-Mariona, J.: Ioddos-the internet of distributed denial of service attacks. In: 2nd International Conference on Internet of Things, Big Data and Security, pp. 47–58. SCITEPRESS (2017)
IANA: Service Name and Transport Protocol Port Number Registry (2020). https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDoS traffic. In: Proceedings of the ACM Computer and Communications Security Conference (2003)
Jones, T.: DDoS Attacks on Port 0 - Does it mean what you think it does? (2013). https://blog.endace.com/2013/08/27/ddos-attacks-on-port-0-does-it-mean-what-you-think-it-does/
Kopp, D., Dietzel, C., Hohlfeld, O.: DDoS never dies? An IXP perspective on DDoS amplification attacks. In: Proceedings of the Passive and Active Measurement Conference (2021)
Larzon, L.-A., Degermark, M., Pink, S., Jonsson, L.-E., Ericsson, Ed., Fairhurst, G.: The Lightweight User Datagram Protocol (UDP-Lite). RFC 3828, RFC Editor, July 2004. https://tools.ietf.org/html/rfc3828#section-3.1
Linux man-pages project: bind(2) – Linux manual page (2020). https://man7.org/linux/man-pages/man2/bind.2.html
Luchs, M., Doerr, C.: The curious case of port 0. In: Proceedings of the IFIP Networking Conference, pp. 1–9 (2019)
Maghsoudlou, A., Gasser, O., Feldmann, A.: Reserved: Dissecting Internet Traffic on Port 0 (2020)
Majkowski, M.: Reflections on reflection (attacks) (2017). https://blog.cloudflare.com/reflections-on-reflections/
MAWI project: MAWI Working Group Traffic Archive (2020). http://mawi.wide.ad.jp/mawi/
Microsoft: Windows bind function (2018). https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-bind
Mukaddam, A., Elhajj, I., Kayssi, A., Chehab, A.: IP spoofing detection using modified hop count. In: Proceedings of the Advanced Information Networking and Applications Conference (2014)
Nokia: Router Configuration Guide Release 16.0.R4 (2018). https://infoproducts.nokia.com/cgi-bin/dbaccessfilename.cgi/3HE14136AAABTQZZA01_V1_7450%20ESS%207750%20SR%207950%20XRS%20and%20VSR%20Router%20Configuration%20Guide%2016.0.R4.pdf
Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 59(10), 58–64 (2016)
Reynolds, J., Postel, J.: Assigned numbers. RFC 870, RFC Editor, Fremont, CA, USA, October 1983. 10.17487/RFC0870. https://www.rfc-editor.org/rfc/rfc870.txt. obsoleted by RFC 900
Scheitle, Q., Wählisch, M., Gasser, O., Schmidt, T.C., Carle, G.: Towards an ecosystem for reproducible research in computer networking. In: Proceedings of the ACM SIGCOMM Reproducibility Workshop (2017)
Stewart, R.: Stream Control Transmission Protocol. RFC 4960, RFC Editor, September 2007. https://tools.ietf.org/html/rfc4960
WAND Network Research Group: WITS: Waikato VIII (2020). https://wand.net.nz/wits/waikato/8/
Wanner, R.: Port 0 DDOS (2013). https://isc.sans.edu/forums/diary/Port+0+DDOS/17081/
WIDE project: WIDE project website (2020). http://www.wide.ad.jp/index_e.html
Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, IMC 2010, pp. 62–74. Association for Computing Machinery, New York (2010). https://doi.org/10.1145/1879141.1879149
Xfinity: Blocked Internet Ports List (2020). https://www.xfinity.com/support/articles/list-of-blocked-ports
Yarrp authors: Yarrp on Github (2020). https://github.com/cmand/yarrp/
ZMap authors: ZMap on Github (2020). https://github.com/zmap/zmap/
ZMapv6 authors: ZMapv6 on Github (2020). https://github.com/tumi8/zmap/
Acknowledgments
We are thankful to the anonymous reviewers as well as our shepherd Ramakrishna Padmanabhan for their constructive feedback. We also thank the large European IXP, MAWI, the University of Waikato, and CAIDA for providing the data used in our analysis.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Additional Traceroute Analyses
We perform additional analyses for the active traceroute measurements, which we provide in the following.
1.1 A.1 Last Responsive Hops
We analyze the last responsive hop of each trace specifically. More concretely, we are interested in the distance, i.e., the largest TTL value of traceroutes, where we get an ICMP response to. This allows us to determine whether TCP/0 traceroutes are e.g., dropped earlier in the network and therefore are terminated earlier in the Internet.
Therefore, we compare the distribution of the last responsive hop. The left part of Fig. 8 shows the distribution of the last responsive hop for IPv4 and IPv6, respectively. The only visible difference we see for IPv4 are the lower whiskers for TCP/0, stemming from the fact that TCP/80 and TCP/443 has slightly more outliers with high TTLs when it comes to the last responsive hops. For IPv6 we see that TCP/0 has a median of 13 and TCP/80 as well as TCP/443 have a median last responsive hop TTL of 14. Since the median is almost identical, this is due to the median only being able to represent integer values if all elements (namely path lengths) are integers. TCP/0’s median is therefore “just below” 14 and the others’ median is “just above” 14. All in all, the box plots show that there is no significant difference when analyzing last responsive hops depending on the transport port.
1.2 A.2 Number of Responsive Hops
Next, we try to answer the question whether fewer routers on the path send ICMP messages for port 0 traceroute traffic or not.
In the right part of Fig. 8 we show the box plot of the number of responsive hops. Again, we see no evidence of router sending fewer ICMP responses for port 0 traffic. We see a slight reduction of TCP/443 ICMP responses per trace in IPv4.
1.3 A.3 ICMP Types and Codes
Finally, we evaluate the different ICMP types and codes sent by routers.
Figure 9 shows the distribution of type and code combinations for ICMP and ICMPv6, respectively. As expected, the vast majority are of type “Time to Live exceeded in Transit” for IPv4 and ‘hop limit exceeded in transit” for IPv6. We see almost identical distributions for the port 0 and other ports.
B Additional Passive Analysis
We analyze hourly patterns of port 0 traffic grouped by source AS, compared with the total port 80 traffic as a reference for regular traffic. Due to space limitations we publish the figure on our website:
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Maghsoudlou, A., Gasser, O., Feldmann, A. (2021). Zeroing in on Port 0 Traffic in the Wild. In: Hohlfeld, O., Lutu, A., Levin, D. (eds) Passive and Active Measurement. PAM 2021. Lecture Notes in Computer Science(), vol 12671. Springer, Cham. https://doi.org/10.1007/978-3-030-72582-2_32
Download citation
DOI: https://doi.org/10.1007/978-3-030-72582-2_32
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-72581-5
Online ISBN: 978-3-030-72582-2
eBook Packages: Computer ScienceComputer Science (R0)