Rule:

--
Sid: 525

--
Summary:
This event is generated when UDP traffic to port 0 is detected. This 
should not be seen in normal UDP communications.

--
Impact:
Denial of Service against Checkpoint Firewall 1 devices. Possible 
reconnaisance. This may be an attempt to verify the existance 
of a host or hosts at a particular address or address range.

--
Detailed Information:
UDP traffic to port 0 is not valid under normal circumstances.

Certain versions of Checkpoints Firewall 1 are subject to a Denial of 
Service attack when UDP packets to port 0 are sent via VPN-1.

an indicator of unauthorized network use, reconnaisance activity or 
system compromise. These rules may also generate an event due to 
improperly configured network devices.

--
Affected Systems:
	Any

--
Attack Scenarios:
The attacker could send packets to a host with a destination port of 0. 
The attacker might also be using hping to verify the existance of a host
as a prelude to an attack.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Disallow UDP traffic to port 0.

--
Contributors:
Original rule writer unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0675

--
