UDP Port 0 not blockable

To: debian-firewall@lists.debian.org
Subject: UDP Port 0 not blockable
From: Andres Taylor <andres@rotselleri.com>
Date: 14 May 2003 09:56:22 +0200
Message-id: <[🔎] 1052898981.1251.12.camel@AP022666.djingis.se>

Hi folks!

I have this weird problem. Every 5 minutes, someone is sending me one or
two strange packets.

Snort logs it like this:
05/14-09:47:30.457304  [**] [1:525:4] BAD TRAFFIC udp port 0 traffic
[**] [Classification: Misc activity] [Priority: 3] {UDP} x.x.x.x:411 ->
y.y.y.y:0

And a tcpdump looks like this:

tcpdump -N -s0 -vvv -X host y.y.y.y

09:42:29.589114 XXX.411 > YYY.0:  [udp sum ok] udp 32 (ttl 116, id 9148,
len 60)
0x0000   4500 003c 23bc 0000 7411 97f6 d9d2 20ac        E..<#...t.......
0x0010   d91f b760 019b 0000 0028 2250 2455 7020        ...`.....("P$Up.
0x0020   6d61 7473 726f 6220 726f 6265 7274 736f        matsrob.robertso
0x0030   6e2e 6e6f 2d69 702e 636f 6d7c                  n.no-ip.com|

Now the weird problem is that I can't for my life block these packets!
I've tried blocking them like this:
iptables -I INPUT -s y.y.y.y -j DROP
And the same for OUTPUT and FORWARD, and I've tried blocking on UDP port
0, but they still come in.

I see them with snort, even when the interface is not in promiscious
mode. What can I do? I'm stuck.

Cheers,

Andrés

Reply to:

Follow-Ups:
- Re: UDP Port 0 not blockable
  - From: Andres Taylor <andres.taylor@apptus.se>
- Re: UDP Port 0 not blockable
  - From: Subredu Manuel <diablo@iasi.roedu.net>
- Re: UDP Port 0 not blockable
  - From: Celso González <celso@mitago.net>

Prev by Date: Re: PPTP VPN
Next by Date: Re: UDP Port 0 not blockable
Previous by thread: Re: PPTP VPN
Next by thread: Re: UDP Port 0 not blockable
Index(es):
- Date
- Thread