Zeroing in on Port 0 Traffic in the Wild

TL;DR

This paper investigates the origins and characteristics of port 0 traffic in the Internet, revealing it mainly results from packet fragmentation, with some links to BitTorrent and scanning activities, and assesses network responses to such traffic.

Contribution

It provides a comprehensive analysis of port 0 traffic using multiple datasets and active measurements, offering insights into its sources, patterns, and network reactions.

Findings

Most port 0 traffic is due to packet fragmentation artifacts.

A significant portion of payload-containing packets are from BitTorrent.

High response rates to TCP port 0 probes in IPv4 networks.

Abstract

Internet services leverage transport protocol port numbers to specify the source and destination application layer protocols. While using port 0 is not allowed in most transport protocols, we see a non-negligible share of traffic using port 0 in the Internet. In this study, we dissect port 0 traffic to infer its possible origins and causes using five complementing flow-level and packet-level datasets. We observe 73 GB of port 0 traffic in one week of IXP traffic, most of which we identify as an artifact of packet fragmentation. In our packet-level datasets, most traffic is originated from a small number of hosts and while most of the packets have no payload, a major fraction of packets containing payload belong to the BitTorrent protocol. Moreover, we find unique traffic patterns commonly seen in scanning. In addition to analyzing passive traces, we also conduct an active measurement campaign to study how different networks react to port 0 traffic. We find an unexpectedly high response rate for TCP port 0 probes in IPv4, with very low response rates with other protocol types. Finally, we will be running continuous port 0 measurements and providing the results to the measurement community.