In order to direct network traffic towards applications, transport layer protocols such as TCP and UDP add the notion of a port number. A share of these numbers is registered for well-known services such as a web or mail, while some is left to be dynamically assigned by the OS to client connections. A special case is port 0 which is reserved but was never assigned. Traffic from and to port 0 is unusual, because it should not occur in the wild. As port 0 is unassigned, there is no common service listing for connections here. Furthermore, operating systems usually interpret the request to open port 0 as the request to allocate and open any currently unused port. Thus, traffic from and to port 0 should not occur, because no application should listen there and applications cannot send from port 0. In practice, we do however see traffic from and to port 0, which indicates that someone makes the effort to bypass the normal operating system network stack to create these unusual packets. As a corner case of network protocols, the aspect of port 0 has basically never been thoroughly investigated. In this paper, we analyze network traffic collected through a /15 network telescope over a period of 3 years to characterize these curious data flows. We find that port 0 traffic seems to be used in the wild by a select few for a variety of purposes, from DDoS attacks to system fingerprinting, and that some of these actors possess a surprisingly sophisticated knowledge of OS behavior. ... Read more

Industrial control systems are becoming increasingly interconnected, and with it their vulnerability to malicious actors. While intrusion detection systems are suited to detect network-based attacks, they remain unable to detect more sophisticated attacks against control systems, for example a compromise of the PLCs. This paper makes the case that the evolving landscape of threats such as the Stuxnet malware requires an alternative approach to intrusion detection in industrial control systems. We argue that effective control of such advanced threats needs to happen in the last link of the control network, hence building a last line of defense. A proof of concept of this new paradigm was implemented for the control system of a dredging vessel, and we describe main lessons learned and pose open research questions we find based on these experiences for ICS intrusion detection. ... Read more