Traffic from port 0

kiokoman

just out of curiosity but how could this happen?

i have alot of this on my log
Aug 18 10:38:38 WAN Block traffic from port 0 (1000000114) 2.229.0.222 192.168.1.200:123 UDP
Aug 18 10:38:36 WAN Block traffic from port 0 (1000000114) 2.229.0.222 192.168.1.200:123 UDP
Aug 18 10:38:35 WAN Block traffic from port 0 (1000000114) 2.229.0.222 192.168.1.200:123 UDP

they probably have some misconfiguration. what can it be that make them transmit from port 0 ?

NogBadTheBad

@kiokoman said in Traffic from port 0:

2.229.0.222

Are Fastweb your ISP, looks like a misconfigured host asking 192.168.1.200 for NTP info.

AS details for 2.229.0.222 :-

route:          2.224.0.0/13
descr:          Fastweb Networks block
origin:         AS12874
remarks:
remarks:        In case of improper use originating from our network,
remarks:        please mail customer or abuse@fastweb.it
remarks:
mnt-by:         FASTWEB-MNT
created:        2011-02-07T10:33:03Z
last-modified:  2011-02-07T10:33:03Z
source:         RIPE
remarks:        ****************************
remarks:        * THIS OBJECT IS MODIFIED
remarks:        * Please note that all data that is generally regarded as personal
remarks:        * data has been removed from this object.
remarks:        * To view the original object, please query the RIPE Database at:
remarks:        * http://www.ripe.net/whois
remarks:        ****************************


Sunday, 18 August 2019 at 10:25:56 British Summer Time

kiokoman

no i'm "192.168.1.200", i have a ntp server that is part of a pool

NogBadTheBad

@kiokoman said in Traffic from port 0:

no i'm "192.168.1.200", i have a ntp server that is part of a pool

Your WAN address is 192.168.1.200 or 192.168.1.200 is on your LAN and there is NAT going on ?

IIRC firewall rule 1000000114 is the default deny WAN rule.

kiokoman

of course there is nat going on
what is strange and i never saw before is "WAN Block traffic from port 0"
so the question was, what kind of misconfiguration can permit traffic to go out of port 0
personally i have no problem, this is the only host blocked with that kind of error.
2.229.0.222 must have something misconfigured, what could that be?
the port are from 1 to 65535, if you set port to 0 on any program you are only telling it to use a random port, i don't see how this is possible in the first place

johnpoz

Yeah that really should not be possible.. If I had to guess, I would say their client is out of available ports to use for source.. If recall application creates its socket it asks for a port and this could be done via port 0, which the system should then bind it to an open source port to use..

Are you seeing a lot of that traffic?

Looks like to be a mail server out of Italy.. are you in that region of the world?
;; ANSWER SECTION:
222.0.229.2.in-addr.arpa. 86400 IN PTR mail.hilex.it.

Some law firm maybe?

If your not in that area - they shouldn't be talking to you anyway.. ntp pool makes more sense to query ntp servers in your area.. asking something on the other side of the planet for time is not going to be the best accuracy ;)

kiokoman

yes i'm from italy

johnpoz

Ah - well then that makes more sense then.. Maybe you could reach out to them and tell them hey their ntp prob not going to be working if they are asking from source port 0 ;)

kiokoman

yeah that was my intention, but before that I wanted to understand what it was all about

johnpoz

Unless their box has been compromised.. Is prob just a issue on the box..

That would be very nice of you to let them know.. Cuz yeah nobody really going to be answering their ntp queries.. Not from that source port.

The trick will be getting someone to even look at your emails ;) Not all companies monitor abuse email addresses, but since that IP says its mail for a company.. You might be able to reach their IT dept..

They should for sure buy you a beer if you help them out like that ;) hehehehe

kiokoman

the problem is that his email server is down, his web site is also down (it was working an hour ago now it's telling me "There is no SSL certificate configured for this domain." ) i will wait some hours maybe they are doing something, eventually i can contact his isp

NogBadTheBad

@johnpoz said in Traffic from port 0:

mail.hilex.it

Their cert is hosed, if they don't care about that, I wonder if they'll even care about the offending host.

It may be something you have to ignore.

Screenshot 2019-08-18 at 11.12.37.png

johnpoz

Well their email server being down prob would be yeah issue with the ports if asking for stuff from source 0..

I was just on their website though, atleast believe its theirs.. Different IP.

http://hilex.it/

But yeah https is down on that site - certs got the wrong freaking domain on it ;) My guess is they need some IT help... hehehehehe

kiokoman

maybe he can be a new customer

johnpoz

That would be great story for sure!

So found a new customer to support, yeah they were sending out shit traffic that my firewall blocked.. So I contacted them about it - now I provide their IT support... heheeheheh

That for sure should be posted somewhere... How monitoring your firewall logs can find you new customers ;)