Traffic from port 0


  • LAYER 8

    just out of curiosity but how could this happen?

    i have alot of this on my log
    Aug 18 10:38:38 WAN Block traffic from port 0 (1000000114) 2.229.0.222 192.168.1.200:123 UDP
    Aug 18 10:38:36 WAN Block traffic from port 0 (1000000114) 2.229.0.222 192.168.1.200:123 UDP
    Aug 18 10:38:35 WAN Block traffic from port 0 (1000000114) 2.229.0.222 192.168.1.200:123 UDP

    they probably have some misconfiguration. what can it be that make them transmit from port 0 ?


  • Galactic Empire

    @kiokoman said in Traffic from port 0:

    2.229.0.222

    Are Fastweb your ISP, looks like a misconfigured host asking 192.168.1.200 for NTP info.

    AS details for 2.229.0.222 :-
    
    route:          2.224.0.0/13
    descr:          Fastweb Networks block
    origin:         AS12874
    remarks:
    remarks:        In case of improper use originating from our network,
    remarks:        please mail customer or abuse@fastweb.it
    remarks:
    mnt-by:         FASTWEB-MNT
    created:        2011-02-07T10:33:03Z
    last-modified:  2011-02-07T10:33:03Z
    source:         RIPE
    remarks:        ****************************
    remarks:        * THIS OBJECT IS MODIFIED
    remarks:        * Please note that all data that is generally regarded as personal
    remarks:        * data has been removed from this object.
    remarks:        * To view the original object, please query the RIPE Database at:
    remarks:        * http://www.ripe.net/whois
    remarks:        ****************************
    
    
    Sunday, 18 August 2019 at 10:25:56 British Summer Time
    

  • LAYER 8

    no i'm "192.168.1.200", i have a ntp server that is part of a pool


  • Galactic Empire

    @kiokoman said in Traffic from port 0:

    no i'm "192.168.1.200", i have a ntp server that is part of a pool

    Your WAN address is 192.168.1.200 or 192.168.1.200 is on your LAN and there is NAT going on ?

    IIRC firewall rule 1000000114 is the default deny WAN rule.


  • LAYER 8

    of course there is nat going on
    what is strange and i never saw before is "WAN Block traffic from port 0"
    so the question was, what kind of misconfiguration can permit traffic to go out of port 0
    personally i have no problem, this is the only host blocked with that kind of error.
    2.229.0.222 must have something misconfigured, what could that be?
    the port are from 1 to 65535, if you set port to 0 on any program you are only telling it to use a random port, i don't see how this is possible in the first place


  • LAYER 8 Global Moderator

    Yeah that really should not be possible.. If I had to guess, I would say their client is out of available ports to use for source.. If recall application creates its socket it asks for a port and this could be done via port 0, which the system should then bind it to an open source port to use..

    Are you seeing a lot of that traffic?

    Looks like to be a mail server out of Italy.. are you in that region of the world?
    ;; ANSWER SECTION:
    222.0.229.2.in-addr.arpa. 86400 IN PTR mail.hilex.it.

    Some law firm maybe?

    If your not in that area - they shouldn't be talking to you anyway.. ntp pool makes more sense to query ntp servers in your area.. asking something on the other side of the planet for time is not going to be the best accuracy ;)


  • LAYER 8

    yes i'm from italy
    Immagine.jpg


  • LAYER 8 Global Moderator

    Ah - well then that makes more sense then.. Maybe you could reach out to them and tell them hey their ntp prob not going to be working if they are asking from source port 0 ;)


  • LAYER 8

    yeah that was my intention, but before that I wanted to understand what it was all about


  • LAYER 8 Global Moderator

    Unless their box has been compromised.. Is prob just a issue on the box..

    That would be very nice of you to let them know.. Cuz yeah nobody really going to be answering their ntp queries.. Not from that source port.

    The trick will be getting someone to even look at your emails ;) Not all companies monitor abuse email addresses, but since that IP says its mail for a company.. You might be able to reach their IT dept..

    They should for sure buy you a beer if you help them out like that ;) hehehehe


  • LAYER 8

    the problem is that his email server is down, his web site is also down (it was working an hour ago now it's telling me "There is no SSL certificate configured for this domain." ) i will wait some hours maybe they are doing something, eventually i can contact his isp


  • Galactic Empire

    @johnpoz said in Traffic from port 0:

    mail.hilex.it

    Their cert is hosed, if they don't care about that, I wonder if they'll even care about the offending host.

    It may be something you have to ignore.

    Screenshot 2019-08-18 at 11.12.37.png


  • LAYER 8 Global Moderator

    Well their email server being down prob would be yeah issue with the ports if asking for stuff from source 0..

    I was just on their website though, atleast believe its theirs.. Different IP.

    http://hilex.it/

    But yeah https is down on that site - certs got the wrong freaking domain on it ;) My guess is they need some IT help... hehehehehe


  • LAYER 8

    maybe he can be a new customer 😂


  • LAYER 8 Global Moderator

    That would be great story for sure!

    So found a new customer to support, yeah they were sending out shit traffic that my firewall blocked.. So I contacted them about it - now I provide their IT support... heheeheheh

    That for sure should be posted somewhere... How monitoring your firewall logs can find you new customers ;)


Log in to reply