Skip to main content
SpringerLink
Log in

Zeroing in on Port 0 Traffic in the Wild

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12671))

Included in the following conference series:

Abstract

Internet services leverage transport protocol port numbers to specify the source and destination application layer protocols. While using port 0 is not allowed in most transport protocols, we see a non-negligible share of traffic using port 0 in the Internet.

In this study, we dissect port 0 traffic to infer its possible origins and causes using five complementing flow-level and packet-level datasets. We observe 73 GB of port 0 traffic in one week of IXP traffic, most of which we identify as an artifact of packet fragmentation. In our packet-level datasets, most traffic is originated from a small number of hosts and while most of the packets have no payload, a major fraction of packets containing payload belong to the BitTorrent protocol. Moreover, we find unique traffic patterns commonly seen in scanning. In addition to analyzing passive traces, we also conduct an active measurement campaign to study how different networks react to port 0 traffic. We find an unexpectedly high response rate for TCP port 0 probes in IPv4, with very low response rates with other protocol types. Finally, we will be running continuous port 0 measurements and providing the results to the measurement community.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Note that due to the nature of traceroute measurements, missing traceroute responses could stem either from filtered packets on the forward path, rate-limiting of ICMP packets at the routers, as well as dropping of ICMP responses on the return path.

References

  1. ACM: Artifact Review and Badging (2020). https://www.acm.org/publications/policies/artifact-review-badging

  2. Aitken, P.: RFC Erratum 1738 (2009). http://www.rfc-editor.org/errata_search.php?eid=1738

  3. Alcock, S., Nelson, R.: Libprotoident: traffic classification using lightweight packet inspection. WAND Network Research Group, Technical report (2012)

    Google Scholar 

  4. Asghari, H.: pyasn on Github (2018). https://github.com/hadiasghari/pyasn

  5. AT&T: Broadband Information - Network Practices (2020). https://about.att.com/sites/broadband/network

  6. Backes, M., Holz, T., Rossow, C., Rytilahti, T., Simeonovski, M., Stock, B.: On the feasibility of TTL-based filtering for DRDoS mitigation. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 303–322. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_14

    Chapter  Google Scholar 

  7. Beverly, R.: Yarrp’ing the internet: randomized high-speed active topology discovery. In: Proceedings of the Internet Measurement Conference, pp. 413–420 (2016)

    Google Scholar 

  8. Bou-Harb, E., Debbabi, M., Assi, C.: On fingerprinting probing activities. Comput. Secur. 43, 35–48 (2014). https://doi.org/10.1016/j.cose.2014.02.005. http://www.sciencedirect.com/science/article/pii/S0167404814000248

  9. Bou-Harb, E., Lakhdari, N.E., Binsalleeh, H., Debbabi, M.: Multidimensional investigation of source port 0 probing. Digit. Investig. 11, S114–S123 (2014)

    Article  Google Scholar 

  10. Bykova, M., Ostermann, S.: Statistical analysis of malformed packets and their origins in the modern internet. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurment, IMW 2002, pp. 83–88. Association for Computing Machinery, New York (2002). https://doi.org/10.1145/637201.637211

  11. CAIDA: The CAIDA Anonymized Internet Traces Data Access (2019). https://www.caida.org/data/passive/passive_dataset_download.xml

  12. CAIDA: A Day in the Life of the Internet (DITL) (2020). https://www.caida.org/projects/ditl/

  13. CAIDA: Routeviews Prefix-to-AS mappings (pfx2as) for IPv4 and IPv6 (2020). http://data.caida.org/datasets/routing/routeviews-prefix2as/

  14. Czyz, J., Luckie, M., Allman, M., Bailey, M., et al.: Don’t forget to lock the back door! A characterization of IPv6 network security policy. In: Proceedings of the Network and Distributed Systems Security Symposium (2016)

    Google Scholar 

  15. Dittrich, D., et al.: The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. US DHS (2012)

    Google Scholar 

  16. Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the 22nd USENIX Security Symposium, pp. 605–620 (2013)

    Google Scholar 

  17. Fischer, D.: nanog mailing list: TCP and UDP Port 0 - Should an ISP or ITP Block it? (2020). https://mailman.nanog.org/pipermail/nanog/2020-August/209228.html

  18. Gasser, O.: Analysis scripts and raw data for active port 0 measurements (2021). https://doi.org/10.17617/3.5f

  19. Gasser, O., et al.: Clusters in the expanse: understanding and unbiasing IPv6 hitlists. In: Proceedings of the Internet Measurement Conference, pp. 364–378 (2018)

    Google Scholar 

  20. Gasser, O., et al.: IPv6 Hitlist Service (2018). https://ipv6hitlist.github.io/

  21. Gasser, O., Scheitle, Q., Gebhard, S., Carle, G.: Scanning the IPv6 internet: towards a comprehensive hitlist. In: Proceedings of the Traffic Monitoring and Analysis Workshop (2016)

    Google Scholar 

  22. Hallman, R., Bryan, J., Palavicini, G., Divita, J., Romero-Mariona, J.: Ioddos-the internet of distributed denial of service attacks. In: 2nd International Conference on Internet of Things, Big Data and Security, pp. 47–58. SCITEPRESS (2017)

    Google Scholar 

  23. IANA: Service Name and Transport Protocol Port Number Registry (2020). https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

  24. Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDoS traffic. In: Proceedings of the ACM Computer and Communications Security Conference (2003)

    Google Scholar 

  25. Jones, T.: DDoS Attacks on Port 0 - Does it mean what you think it does? (2013). https://blog.endace.com/2013/08/27/ddos-attacks-on-port-0-does-it-mean-what-you-think-it-does/

  26. Kopp, D., Dietzel, C., Hohlfeld, O.: DDoS never dies? An IXP perspective on DDoS amplification attacks. In: Proceedings of the Passive and Active Measurement Conference (2021)

    Google Scholar 

  27. Larzon, L.-A., Degermark, M., Pink, S., Jonsson, L.-E., Ericsson, Ed., Fairhurst, G.: The Lightweight User Datagram Protocol (UDP-Lite). RFC 3828, RFC Editor, July 2004. https://tools.ietf.org/html/rfc3828#section-3.1

  28. Linux man-pages project: bind(2) – Linux manual page (2020). https://man7.org/linux/man-pages/man2/bind.2.html

  29. Luchs, M., Doerr, C.: The curious case of port 0. In: Proceedings of the IFIP Networking Conference, pp. 1–9 (2019)

    Google Scholar 

  30. Maghsoudlou, A., Gasser, O., Feldmann, A.: Reserved: Dissecting Internet Traffic on Port 0 (2020)

    Google Scholar 

  31. Majkowski, M.: Reflections on reflection (attacks) (2017). https://blog.cloudflare.com/reflections-on-reflections/

  32. MAWI project: MAWI Working Group Traffic Archive (2020). http://mawi.wide.ad.jp/mawi/

  33. Microsoft: Windows bind function (2018). https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-bind

  34. Mukaddam, A., Elhajj, I., Kayssi, A., Chehab, A.: IP spoofing detection using modified hop count. In: Proceedings of the Advanced Information Networking and Applications Conference (2014)

    Google Scholar 

  35. Nokia: Router Configuration Guide Release 16.0.R4 (2018). https://infoproducts.nokia.com/cgi-bin/dbaccessfilename.cgi/3HE14136AAABTQZZA01_V1_7450%20ESS%207750%20SR%207950%20XRS%20and%20VSR%20Router%20Configuration%20Guide%2016.0.R4.pdf

  36. Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 59(10), 58–64 (2016)

    Google Scholar 

  37. Reynolds, J., Postel, J.: Assigned numbers. RFC 870, RFC Editor, Fremont, CA, USA, October 1983. 10.17487/RFC0870. https://www.rfc-editor.org/rfc/rfc870.txt. obsoleted by RFC 900

  38. Scheitle, Q., Wählisch, M., Gasser, O., Schmidt, T.C., Carle, G.: Towards an ecosystem for reproducible research in computer networking. In: Proceedings of the ACM SIGCOMM Reproducibility Workshop (2017)

    Google Scholar 

  39. Stewart, R.: Stream Control Transmission Protocol. RFC 4960, RFC Editor, September 2007. https://tools.ietf.org/html/rfc4960

  40. WAND Network Research Group: WITS: Waikato VIII (2020). https://wand.net.nz/wits/waikato/8/

  41. Wanner, R.: Port 0 DDOS (2013). https://isc.sans.edu/forums/diary/Port+0+DDOS/17081/

  42. WIDE project: WIDE project website (2020). http://www.wide.ad.jp/index_e.html

  43. Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, IMC 2010, pp. 62–74. Association for Computing Machinery, New York (2010). https://doi.org/10.1145/1879141.1879149

  44. Xfinity: Blocked Internet Ports List (2020). https://www.xfinity.com/support/articles/list-of-blocked-ports

  45. Yarrp authors: Yarrp on Github (2020). https://github.com/cmand/yarrp/

  46. ZMap authors: ZMap on Github (2020). https://github.com/zmap/zmap/

  47. ZMapv6 authors: ZMapv6 on Github (2020). https://github.com/tumi8/zmap/

Download references

Acknowledgments

We are thankful to the anonymous reviewers as well as our shepherd Ramakrishna Padmanabhan for their constructive feedback. We also thank the large European IXP, MAWI, the University of Waikato, and CAIDA for providing the data used in our analysis.

Author information

Authors and Affiliations

  1. Max Planck Institute for Informatics, Saarbrücken, Germany

    Aniss Maghsoudlou, Oliver Gasser & Anja Feldmann

Authors
  1. Aniss Maghsoudlou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Oliver Gasser
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anja Feldmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aniss Maghsoudlou .

Editor information

Editors and Affiliations

  1. Brandenburg University of Technology (BTU), Cottbus, Germany

    Oliver Hohlfeld

  2. Telefonica Research, Barcelona, Spain

    Andra Lutu

  3. Iribe Center, University of Maryland, College Park, MD, USA

    Dave Levin

Appendices

A Additional Traceroute Analyses

We perform additional analyses for the active traceroute measurements, which we provide in the following.

1.1 A.1 Last Responsive Hops

We analyze the last responsive hop of each trace specifically. More concretely, we are interested in the distance, i.e., the largest TTL value of traceroutes, where we get an ICMP response to. This allows us to determine whether TCP/0 traceroutes are e.g., dropped earlier in the network and therefore are terminated earlier in the Internet.

Therefore, we compare the distribution of the last responsive hop. The left part of Fig. 8 shows the distribution of the last responsive hop for IPv4 and IPv6, respectively. The only visible difference we see for IPv4 are the lower whiskers for TCP/0, stemming from the fact that TCP/80 and TCP/443 has slightly more outliers with high TTLs when it comes to the last responsive hops. For IPv6 we see that TCP/0 has a median of 13 and TCP/80 as well as TCP/443 have a median last responsive hop TTL of 14. Since the median is almost identical, this is due to the median only being able to represent integer values if all elements (namely path lengths) are integers. TCP/0’s median is therefore “just below” 14 and the others’ median is “just above” 14. All in all, the box plots show that there is no significant difference when analyzing last responsive hops depending on the transport port.

Fig. 8.
figure 8

Box plot of last responsive hop (left) and the number of responsive hops (right) aggregated by transport port protocol for IPv4 and IPv6 showing the median, first and third quantiles, mean (\(\blacktriangle \)), and 1.5 times IQR as whiskers.

Full size image

1.2 A.2 Number of Responsive Hops

Next, we try to answer the question whether fewer routers on the path send ICMP messages for port 0 traceroute traffic or not.

In the right part of Fig. 8 we show the box plot of the number of responsive hops. Again, we see no evidence of router sending fewer ICMP responses for port 0 traffic. We see a slight reduction of TCP/443 ICMP responses per trace in IPv4.

1.3 A.3 ICMP Types and Codes

Finally, we evaluate the different ICMP types and codes sent by routers.

Fig. 9.
figure 9

Distribution of ICMP(v6) type and code combinations for all responses split by transport protocol for IPv4 (left) and IPv6 (right).

Full size image

Figure 9 shows the distribution of type and code combinations for ICMP and ICMPv6, respectively. As expected, the vast majority are of type “Time to Live exceeded in Transit” for IPv4 and ‘hop limit exceeded in transit” for IPv6. We see almost identical distributions for the port 0 and other ports.

B Additional Passive Analysis

We analyze hourly patterns of port 0 traffic grouped by source AS, compared with the total port 80 traffic as a reference for regular traffic. Due to space limitations we publish the figure on our website:

inet-port0.mpi-inf.mpg.de

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Maghsoudlou, A., Gasser, O., Feldmann, A. (2021). Zeroing in on Port 0 Traffic in the Wild. In: Hohlfeld, O., Lutu, A., Levin, D. (eds) Passive and Active Measurement. PAM 2021. Lecture Notes in Computer Science(), vol 12671. Springer, Cham. https://doi.org/10.1007/978-3-030-72582-2_32

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-72582-2_32

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-72581-5

  • Online ISBN: 978-3-030-72582-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation