Re: TCP and UDP Port Zero

pccthailand · ‎10-27-2005

Hi Friend

I have seen my Router Logs that I found this messages:

denied udp 192.168.6.103(0) ->10.10.11.11(0), 2 packets

denied tcp 192.168.6.103(0) -> 10.10.11.6(0), 39 packets

I'm not sure about port 0 from source and destination address of tcp and udp pls explain me what's that mean ?

Thanks

JonathanUK · ‎10-28-2005

UDP Port 0 and TCP Port 0 are reserved.

From the log looks like some type of port scan?

In your logs did you have any messages regarding access-lists?

Cisco access lists report port 0

unless a port is explicity mentioned in an access list.

That is, coding:

access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

will report 0 as the port, but coding

access-list 100 deny tcp 10.0.0.0 0.255.255.255 any range 0 65535 log

access-list 100 deny udp 10.0.0.0 0.255.255.255 any range 0 65535 log

access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

will give correct port numbers for TCP and UDP.

This is a side-effect of the access list evaluation

optimiser.

pccthailand · ‎10-28-2005

Hi

Thank you for comment but i'm scared that it's port scan or something from hacker

Thank you

Georg Pauwen · ‎10-28-2005

Hello,

is 192.168.6.103 an address used within your network ? If so, you should be able to track it down. If not, there is only one way for somebody who is not authorized to use that internal address, and that is by means of spoofing the address. Try and configure th anti-spoofing access list below on your edge router interface, that is, on the interface(s) connecting you to the outside world:

ip access-list standard PRIVATE_ADDRESS_SPACE

deny 10.0.0.0 0.255.255.255

deny 172.16.0.0 0.15.255.255

deny 192.168.0.0 0.0.255.255

permit any

Apply the access-list inbound to your edge interface:

ip access-group PRIVATE_ADDRESS_SPACE in

Regards,

GP

pccthailand · ‎10-31-2005

According to "Cisco access lists report port 0

unless a port is explicity mentioned in an access list.

That is, coding:

access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

will report 0 as the port "

I have any other logs that have the similar access-list but router will show port

denied udp 192.168.10.123(3974) -> 10.2.3.11(53)

denied tcp 192.168.10.123(3980) -> 172.17.12.230(4721)

denied tcp 192.168.10.123(3981) -> 172.17.12.36(445)

what's problem about log access-list that router not show port ? but some log show port

Thank

Richard Burts · ‎10-31-2005

Tawee

In my experience if the access list has permits and denys that look at specific ports then the log messages will report the port number. But if the access list just permits or denies by protocol (but does not specify a port) then the log message will have 0 (as yours does).

So if your access list were to be something like this:

permit ip 10.10.0.0 0.0.255.255 172.16.0.0 0.0.255.255

permit ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255

deny ip any any log

then the log of denied packets will have 0.

If the acces list were to be something like this:

permit tcp 10.10.0.0 0.0.255.255 172.16.0.0 0.0.255.255 eq 23

permit udp 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq 53

deny ip any any log

then the log of denied packets will have port numbers.

If you would post the exact contents of your access list we could see if this is the right explanation.

HTH

Rick

HTH

Rick

pccthailand · ‎11-02-2005

Hi all

This is my access-list number 100 :

access-list 100 remark *** For ATS Project ****

access-list 100 permit icmp any 192.168.6.0 0.0.0.255

access-list 100 permit icmp any 192.168.250.0 0.0.0.255

access-list 100 permit ip any 172.31.0.0 0.0.255.255

access-list 100 deny ip any any log

and this is my access-list number 150 :

access-list 150 remark **** Access-list for FTP Project *****

access-list 150 permit icmp any host 192.168.10.1

access-list 150 permit ip any host 192.168.10.1

access-list 150 deny icmp any any echo log

access-list 150 deny icmp any any echo-reply log

I thought my access-list 100 and 150 not be different between them but when i checked logs i saw different like this :

Logs access-list 150:

list 150 denied tcp 192.168.10.123(2762) -> 172.17.12.230(4721)

list 150 denied udp 192.168.10.121(2967) -> 172.21.101.68(26409)

Logs access-list 100:

list 100 denied tcp 192.168.6.102(0) -> 10.10.11.6(0)

list 100 denied tcp 10.10.9.93(0) -> 10.10.14.31(0)

Logs access-list 150 identify port number but not for access-list 100 ?? how about your idea ???

Thanks

Richard Burts · ‎11-03-2005

Tawee

It is not quite the difference that I expected, but I believe what you have posted is consistent with my idea. Access list 100 does not look any deeper than the IP addresses (does not examine any port numbers) and does not report port numbers. Access list 150 does look deeper into the packet than just the address when it has:

access-list 150 deny icmp any any echo log

access-list 150 deny icmp any any echo-reply log

Since it is looking deeper than just the address it can report the port number. If you add something in access list 100 that looks deeper into the packet I believe that access list 100 will begin to report port numbers.

HTH

Rick

HTH

Rick