Re: TCP/UDP port 0 and TCP/UDP port 1

jorgRamakers · ‎03-27-2007

Hi,

I notice in our organisation an access list which is allowing tcp and udp ports greater than 1.

Why are ports (TCP and UDP) 0 and 1 used for. As I was reading on the internet i noticed that tcp port 1 is used for service multiplexing.

So when 2 hosts are trying to connect to eachother via port 80 www. It will first setup a tcp connection via syn and ack, after this the www service of host 1 is searching for www service of host 2 via port 1. when www is found there is a positive sign send to host 1 over tcp port 1. Is this correct?

When is port 0 used?

Again on the internet I found that these ports are a kind of a wildcard. When host 1 wants to send something over port 0 it is redirected to the next available port above 1023. And are those ports (above 1023) used for virusses and trojans?

Is this the way virus outbreaks are started?

Cheers

Jorg

mostiguy · ‎03-27-2007

Port 0 is reserved, meaning that it will never be assigned by IANA, the way that 80 was assigned to http, etc. Various operating systems have handled it differently (i.e, some had bugs that would seem to indicate that their programmers did not realize that 0 was possible, but should behave as any other unused port). Here you can see that nessus has a vulnerability scanner for Firewall 1, which apparently had a UDP port 0 DoS

http://www.nessus.org/plugins/index.php?view=single&id=10074

I believe you are basically accurate about tcp-mux. My impression of it is that it was an old Unix service that might have helped for diagnostic purposes, but had security vulnerability problems that caused it to disappear over time. It sounds like it might have suffered from traffic amplification affects

That all said, I don't know why ports 0 and 1 would be allowed. I would tend to think they were opened by mistake

Richard Burts · ‎03-27-2007

I believe that there is a clue in careful reading of the original post which says:

which is allowing tcp and udp ports greater than 1.

so the case is not that port 1 is allowed but that a RANGE greater than 1 is allowed. Without knowing more about the context of the access list we can not know what is being done. But I will observe that at a customer that I support we use a similar construct in an access list used with RPF check so that the log parameter used in the access list statement will report the TCP or UDP port. In logging by an access list, if the access list has not checked for port values then the log message can not report the port value.

Perhaps the original poster can clarify the syntax of the access list that he is talking about.

HTH

Rick

HTH

Rick

jorgRamakers · ‎03-29-2007

Hi All,

I'm just wondering why you should deny port 0 and 1 in an access-list.

the access list implemented on our system has following lines

permit tcp host x.x.x.x host x.x.x.x. gt 1 log

permit udp host x.x.x.x host x.x.x.x. gt 1 log

Maybe it is security recommended that port 0 and 1 are blocked. I saw in the nessus link, that port 0 can be abused for DoS.

Some other reasons when these ports can be abused?

Richard Burts · ‎03-29-2007

As I stated in my previous post without knowing more about how this access list is being used, we are not in a good position to comment on specifics of what should be denied or permitted.

The additional information that you show now does confirm that what is being done is permit tcp greater than 1 is so that the log messages being generated will include the TCP and UDP port numbers.

If you want discussion about specifics of what should be denied or permitted then perhaps you can provide more information about this access list and how it is being used.

HTH

Rick

HTH

Rick