The curious case of port 0

Abstract

In order to direct network traffic towards applications, transport layer protocols such as TCP and UDP add the notion of a port number. A share of these numbers is registered for well-known services such as a web or mail, while some is left to be dynamically assigned by the OS to client connections. A special case is port 0 which is reserved but was never assigned. Traffic from and to port 0 is unusual, because it should not occur in the wild. As port 0 is unassigned, there is no common service listing for connections here. Furthermore, operating systems usually interpret the request to open port 0 as the request to allocate and open any currently unused port. Thus, traffic from and to port 0 should not occur, because no application should listen there and applications cannot send from port 0. In practice, we do however see traffic from and to port 0, which indicates that someone makes the effort to bypass the normal operating system network stack to create these unusual packets. As a corner case of network protocols, the aspect of port 0 has basically never been thoroughly investigated. In this paper, we analyze network traffic collected through a /15 network telescope over a period of 3 years to characterize these curious data flows. We find that port 0 traffic seems to be used in the wild by a select few for a variety of purposes, from DDoS attacks to system fingerprinting, and that some of these actors possess a surprisingly sophisticated knowledge of OS behavior.