Online Scans: Precursor to Attack?Researcher Says Spike in Port Zero Traffic Worrisome
A significant uptick in traffic this week linked to an Internet port known as "port zero" is likely among the first signs of a massive and targeted attack against remote servers and networks throughout the world, says threat researcher Craig Williams of Cisco Systems Inc.
Fraud analyst Al Pascual of the consultancy Javelin Strategy & Research says news of the port zero scans revealed by Cisco is significant because such activity is often a precursor to distributed-denial-of-service attacks.
"The attackers are probing networks to determine how they respond," Pascual says. "This activity could also represent attempts to locate systems for later infection with operating system specific attacks, as Unix and Windows treat port zero slightly differently. Port zero traffic is often completely innocuous, but the breadth of this activity renders it suspicious enough to watch closely. It is too early to tell exactly what this activity portends, but organizations should be on guard."
While Williams does not believe the network and server scans through port zero are linked to DDoS strikes, he says it's difficult to know exactly what type of attack, if any, could result.
"This type of reconnaissance is for remote attacks against a remote server or any other type of remote service," Williams says. "Seeing reconnaissance activity does not always indicate attack, but there is no reason for someone to do this kind of scanning with bad IPs [Internet protocols] unless they were planning something."
In fact, Williams says the remote scans being run through port zero suggest that if an attack is later waged against some operating system or device vulnerability, it could be so narrow that it's not detected.
Researchers say the port zero traffic that is being used to scan remote servers and networks is not focused on any single industry. "Just about anyone is being scanned, and I would guess that means it's some piece of malware that is looking for some very specific vulnerable piece of software to exploit," Williams says. "They are not doing this randomly."
This type of anticipated attack is completely preventable because the main vulnerability is port zero - an Internet port no one needs to leave open, Williams says.
"The most obvious thing to do is block or deny this port over TCP [Transport Control Protocol] and UDP [User Datagram Protocol]," he says. "This port is open in many cases because most people are just not aware of it."
Because port zero is a reserved port, Williams says that means it generally should not be used; the only time traffic should be linked to port zero should be for testing or research.
So when researchers started noting abnormal upticks in port zero traffic Nov. 2 - the highest such traffic this year - they knew something was amiss, Williams says. And, based on the traffic patterns, the end goal is likely some sort of attack, he says. That's because the Internet protocol addresses linked to the port zero traffic are known as being malicious, Williams says.
And Williams says other Internet security teams have confirmed seeing the same kind of anomalous traffic linked to port zero.
"We know these IPs don't have a good reputation, and that is why we are concerned," he says. "And, historically, right before an attack, you can expect to see this type of increase in traffic patterns, which is another reason why we are worried."
Also, the only time online scanning in a legitimate context should occur is when research is being conducted, Williams explains. "And we have not been able to associate these IPs with any white-hat," he adds.
Most of the IP addresses involved have been linked to the Netherlands, but Williams says that does not mean much. "It's likely compromised machines, so I'm not sure the geographic location tells us much," he says.