Cisco reported that spikes in TCP port zero traffic is an alarm that more serious attacks may be on their way. How can this be told from port zero traffic and what should my enterprise do to mitigate the risks?
Ask the expert
Our experts are ready to answer your network security questions. Submit them now via email!
After reading the reports disseminated by Cisco, I came away with more questions than answers. The primary reason is because Cisco did not reveal the destination of the TCP port zero traffic it has observed. Knowing this may reveal the nature of the traffic in terms of intent.
TCP port zero is an odd port in that not all operating systems recognize it and the Internet Assigned Numbers Authority has deemed it to be reserved for research purposes. Therefore, the traffic mentioned in Cisco's report may have been just that -- research. So why is Cisco concerned by the uptick in TCP port zero traffic? The answer lies in the peculiarity of the port itself.
Many times, packet sniffers will detect packets coming across an assigned network interface and will deem certain packets as originating from TCP port zero when in actuality the originating port is not port zero at all. So what are they? These packets may simply be TCP traffic without a Layer 4 header and the sniffer labeled the source port field as TCP port zero as a type of shorthand notation. This is commonly seen in Internet Control Message Protocol (ICMP) traffic when the originating host sends a ping attempt to another node within the network. Technically, in the case of the Cisco report, much of the traffic deemed as originating from TCP port zero could have been a large number of ping attempts, which often denotes a type of reconnaissance.
So what should an enterprise do? First, determine whether your network will allow ICMP attempts. Most enterprise networks do, as ICMP is an excellent troubleshooting mechanism. However, some networks do not allow ICMP traffic from external networks as a means of guarding against ping floods and other similar types of denial-of-service attacks. The decision to authorize ICMP traffic must be made on a case-by-case basis.
Second, determine whether your firewall infrastructure has the ability to detect traffic from TCP port zero and, if so, block all traffic from this port. Because TCP port zero is categorized as reserved, many firewalls do not even recognize traffic from port zero and therefore cannot block traffic from it.
Finally, if your organization has decided against the use of ICMP traffic and you have configured your firewall to block all traffic with a source port of TCP zero yet TCP port zero traffic is still making it through your firewall, you'll want to contact the firewall vendor, as this may indicate either a quirk within the firewall operating system or a flaw.
This was first published in February 2014