Support Community,

Ok, so recently we started to see a spike in tcp & udp traffic with the source and destination ports as 0.  I did a little research and found this article from PC World,

http://www.pcworld.com/article/2061080/spike-in-traffic-with-tcp-source-port-zero-has-some-researchers-worried.html

which states that this is unusual traffic and should generally be treated as suspicious.

So I created the following ACLs and applied them on one of our Vlans to try and identify the source or sources.

++++++++++

ITHALLWAY#sh ip access-lists
Extended IP access list SNIFFER_1
    10 permit ip any any log
Extended IP access list SNIFFER_2
    5 deny tcp host 10.15.1.46 eq 0 any eq 0
    10 deny udp host 10.15.1.46 eq 0 any eq 0
    15 permit ip any any log
Extended IP access list SNIFFER_3
    5 deny tcp any eq 0 any eq 0
    10 deny udp any eq 0 any eq 0
    15 permit ip any any log

++++++++++

First I applied ACL - SNIFFER_1 to show the tcp & udp port 0 traffic was coming from various sources with in the Vlan.  You can see the them below.

Log Buffer (8192 bytes):

Jul 14 11:06:29: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.12.50.225(0) -> 10.15.101.21(0), 1 packet
Jul 14 11:06:30: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.1.56(0) -> 10.15.8.110(0), 1 packet
Jul 14 11:06:31: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 10.7.0.30(0) -> 10.15.1.19(0), 1 packet
Jul 14 11:06:32: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.1.56(0) -> 10.15.8.110(0), 1 packet
Jul 14 11:06:33: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 10.15.1.52(0) -> 10.15.8.221(0), 1 packet
Jul 14 11:06:34: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.8.110(0) -> 10.15.1.48(0), 1 packet
Jul 14 11:06:35: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.8.110(0) -> 10.15.1.54(0), 1 packet
Jul 14 11:06:36: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 10.15.1.12(0) -> 23.235.40.73(0), 1 packet
Jul 14 11:06:37: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 10.15.1.37(0) -> 10.7.0.30(0), 1 packet
Jul 14 11:06:38: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.1.19(0) -> 10.15.1.255(0), 1 packet
Jul 14 11:06:39: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 10.15.1.19(0) -> 64.4.54.253(0), 1 packet
Jul 14 11:06:40: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 10.15.1.10(0) -> 68.67.129.22(0), 1 packet
Jul 14 11:06:41: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.1.56(0) -> 10.15.8.110(0), 1 packet
Jul 14 11:06:42: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.8.110(0) -> 10.15.1.55(0), 1 packet
Jul 14 11:06:43: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 10.15.1.54(0) -> 10.15.8.110(0), 1 packet
Jul 14 11:06:44: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 10.15.1.46(0) -> 10.15.8.110(0), 1 packet
Jul 14 11:06:45: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.1.38(0) -> 10.1.0.178(0), 1 packet
Jul 14 11:06:46: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 68035 packets
Jul 14 11:06:47: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 10.15.1.38(0) -> 10.1.0.80(0), 1 packet
Jul 14 11:06:48: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.1.38(0) -> 74.125.28.189(0), 1 packet
Jul 14 11:06:49: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 10.15.1.55(0) -> 10.15.8.110(0), 1 packet
Jul 14 11:06:50: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.1.55(0) -> 10.15.8.110(0), 1 packet
ITHALLWAY#

++++++++++

Second, I applied ACL - SNIFFER_2 to block IP address 10.15.1.46 from sending the tcp & udp port 0 traffic.  Results are below.

Jul 14 11:10:10: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.1.56(0) -> 10.15.8.110(0), 1 packet
Jul 14 11:10:11: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.101.29(0) -> 10.12.50.225(0), 1 packet
Jul 14 11:10:13: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 10.15.1.75(0) -> 10.16.8.220(0), 1 packet
Jul 14 11:10:14: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.8.110(0) -> 10.15.1.46(0), 1 packet
Jul 14 11:10:15: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted udp 10.15.1.54(4172) -> 10.15.8.110(4172), 1 packet
Jul 14 11:10:16: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted tcp 4.26.67.80(0) -> 10.15.1.10(0), 1 packet
Jul 14 11:10:17: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.15.8.110(0) -> 10.15.1.56(0), 1 packet
Jul 14 11:10:18: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted tcp 10.15.1.42(62033) -> 10.7.0.30(36437), 1 packet
Jul 14 11:10:19: %SEC-6-IPACCESSLOGP: list SNIFFER_1 permitted udp 10.1.0.80(0) -> 10.15.1.200(0), 1 packet
Jul 14 11:10:20: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted tcp 10.15.1.10(56779) -> 10.16.8.220(443), 1 packet
Jul 14 11:10:21: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted tcp 10.15.1.31(51100) -> 10.1.121.11(80), 1 packet
Jul 14 11:10:21: %SYS-5-CONFIG_I: Configured from console by bschoonover on vty0 (10.15.99.29)
Jul 14 11:10:22: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted udp 10.15.1.35(137) -> 10.15.1.255(137), 1 packet
Jul 14 11:10:24: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted udp 10.15.1.74(52187) -> 255.255.255.255(1947), 1 packet
Jul 14 11:10:26: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted udp 10.15.1.48(4172) -> 10.15.8.110(4172), 1 packet
Jul 14 11:10:27: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted udp 10.15.1.35(68) -> 255.255.255.255(67), 1 packet
Jul 14 11:10:28: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted udp 10.12.50.225(5247) -> 10.15.101.29(29284), 1 packet
Jul 14 11:10:29: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted udp 10.15.1.46(4172) -> 10.15.8.110(4172), 1 packet
Jul 14 11:10:30: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted udp 10.15.101.25(21792) -> 10.12.50.225(5247), 1 packet
Jul 14 11:10:31: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted tcp 68.142.104.20(1935) -> 10.15.1.28(59670), 1 packet
Jul 14 11:10:32: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted tcp 10.15.1.73(64046) -> 10.16.8.220(443), 1 packet
Jul 14 11:10:33: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted udp 10.15.71.251(65289) -> 10.15.1.10(12502), 1 packet
Jul 14 11:10:34: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted udp 10.15.71.251(65289) -> 10.15.1.10(12502), 1 packet
Jul 14 11:10:35: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted udp 10.15.71.251(65234) -> 10.15.1.10(12500), 1 packet
Jul 14 11:10:36: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted tcp 10.15.1.12(59340) -> 54.85.184.164(80), 1 packet
Jul 14 11:10:37: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted tcp 10.16.8.220(443) -> 10.15.1.30(57837), 1 packet
Jul 14 11:10:38: %SEC-6-IPACCESSLOGP: list SNIFFER_2 permitted tcp 66.114.173.143(443) -> 10.15.1.61(52138), 1 packet
ITHALLWAY#

You will notice it blocked "ALL" tcp & udp port 0 traffic from any source IP address within the Vlan, not just from host 10.15.1.46.

++++++++++

Lastly, I applied ACL - SNIFFER_3 to show there is no difference between the results of SNIFFER_2 or SNIFFER_3 ACLs.

Jul 14 11:13:52: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted tcp 64.14.192.236(443) -> 10.15.1.35(59228), 1 packet
Jul 14 11:13:52: %SYS-5-CONFIG_I: Configured from console by bschoonover on vty0 (10.15.99.29)
Jul 14 11:13:53: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted udp 10.15.1.26(137) -> 10.15.1.255(137), 1 packet
Jul 14 11:13:57: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted udp 10.15.1.203(1230) -> 255.255.255.255(123), 1 packet
Jul 14 11:14:00: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted udp 10.15.8.110(4172) -> 10.15.1.48(4172), 1 packet
Jul 14 11:14:01: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted tcp 10.15.8.221(443) -> 10.15.1.29(55803), 1 packet
Jul 14 11:14:02: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted udp 10.15.8.110(4172) -> 10.15.1.54(4172), 1 packet
Jul 14 11:14:03: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted udp 10.15.71.251(65234) -> 10.15.1.10(12500), 1 packet
Jul 14 11:14:04: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted udp 10.15.1.56(4172) -> 10.15.8.110(4172), 1 packet
Jul 14 11:14:05: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted udp 10.15.1.75(58148) -> 216.58.217.206(443), 1 packet
Jul 14 11:14:06: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted udp 10.15.8.110(4172) -> 10.15.1.46(4172), 1 packet
Jul 14 11:14:07: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted udp 10.15.8.110(4172) -> 10.15.1.55(4172), 1 packet
Jul 14 11:14:08: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted udp 10.15.1.43(50002) -> 10.15.8.110(4172), 1 packet
Jul 14 11:14:09: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted tcp 10.15.1.48(41596) -> 10.15.8.110(4172), 1 packet
Jul 14 11:14:10: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted udp 10.15.71.251(65234) -> 10.15.1.10(12500), 1 packet
Jul 14 11:14:11: %SEC-6-IPACCESSLOGP: list SNIFFER_3 permitted tcp 104.64.231.57(443) -> 10.15.1.11(61847), 1 packet
ITHALLWAY#

++++++++++

Now, I am not sure why ACL #2 blocked all tcp & udp 0 traffic even though a specific host IP address was identified in the ACL.  Nor can I account for why ACl #2 and #3 have the same results.  In addition, I notice the "hit" counters never counted up for the denied enteies in either ACL despite the fact that we were no longer seeing the traffic in the output of the "sh logging" command.

ITHALLWAY#sh ip access-lists
Extended IP access list SNIFFER_1
    10 permit ip any any log (517172 matches)
Extended IP access list SNIFFER_2
    5 deny tcp host 10.15.1.46 eq 0 any eq 0
    10 deny udp host 10.15.1.46 eq 0 any eq 0
    15 permit ip any any log (357994 matches)
Extended IP access list SNIFFER_3
    5 deny tcp any eq 0 any eq 0
    10 deny udp any eq 0 any eq 0
    15 permit ip any any log (134589 matches)
ITHALLWAY#

Can anyone help explain the abnormalities in the logging and hit couters of the ACLs?  Does anyone have additional information regarding tcp & udp port 0 traffic.  Should I consider it suspicious and possibly malicious and block it or ignore it?  I prefer the former myself.  Your thoughts, expert advise and knowledge would be very welcomed.

Thank you for your time. 

Brian