The Strange History of Port 0
While reading the latest report from Arbor Network on DDoS activity across the Internet in Q2 2013, a particular phrase jumped out at me:
“ TCP fragmentation attacks (port 0) are up from about 10% last year to nearly 25% this year. ”
There are three reasons I don’t understand that statement. First, TCP is a streaming protocol, not a datagram protocol, so there’s no concept of “fragmentation” within TCP. Second, googling “TCP fragmentation” results in an IDS evasion technique using overlapping SEQ numbers in retransmissions to replace the contents of the receive buffer on the recipient, but not the IDS (see here for an awesome example including Wireshark screenshots), but that has nothing to do with port 0. Third, and the one I will explore here, port 0 isn’t defined as a valid port.
Despite the fact that port 0 isn’t a valid port for traffic, network management tools will regularly report that you’ve got traffic headed there. However, that’s not what the packets contain.