An analysis of TCP Port 0 traffic and net BIOS SMB spam advertisement incidents within a set of honeypots / Emran Mohd Tamil and Abdul Hamid Othman

In early 2004, 5 sets of honeypots were deployed sequentially togather data on threats that exist on a normal DSL internet connection. Other than the main finding that normal DSL users are susceptible to random online attack, the research has also observed several kinds of abnormalities and interesting network traffic such as port zero TCP traffic and Net BIOS 5MB spam pop-up advertisement network traffic. Traffic to or from port zero is not valid under normal circumstances as there is no such port zero. As these packets are high possibly crafted, it is an indicator of unauthorised network use, reconnaissance activities or system compromise. Some of the honeypots also experienced pop-up messages with advertisements. The pop-up advertisement messages were the results of spamming activities that exploit Net BIOS messaging protocol. This paper analysed both the TCP port zero traffic and Net BIOS 5MB spam advertisement pop up network traffic which were experienced by the honeypot deployed.