Dissecting Internet Traffic on Port 0

Coordinators: Aniss Maghsoudlou, Oliver Gasser

Devices and computers need to establish a connection between each other to be able to send/recieve data on the Internet. Transport protocols are part of a stack of protocols that facilitate this connection. Different applications and services such as Web, E-mail, FTP, etc. that require a connection, might exist in a single computer. Therefore, transport protocols use port numbers to distinguish between different applications and services.

TCP as well as UDP, the two most widely used transport protocols, have limitations on what constitutes a valid and invalid port number. One example of an invalid port number for these protocols is port 0.

In this project, we perform active and passive measurements to investigate the origins and causes of port 0 traffic on the Internet. For passive measurements, we use multiple packet- and flow-level datasets and use diverse Transport or Network layer fields, e.g. fragmentation header, TCP control bits, payload size, etc. to infer the causes of port 0 traffic.

We find that TCP port 0 traffic usually does not contain any payload and is mostly one-way. Analyzing TCP control bits, we categorize most of the two-way streams as scanning traffic. Then, to understand how hosts/routers treat port 0 traffic, we leverage internet-wide scans and traceroutes. We observe unusually high response rates to TCP port 0 probes in IPv4 and also uncover the presence of port 0 packet filtering. [1]

This topic will also be presented at the PAM 2021 conference at the end of March/beginning of April 2021 ("Zeroing in on Port 0 Traffic in the Wild").



A. Maghsoudlou, O. Gasser, and A. Feldmann. Reserved: Dissecting internet traffic on port 0. In Extended abstract of a poster presented at Passive and Active Measurement Conference (PAM) 2020, Virtual Conference, 2020. arXiv: 2004.03653.