[Dshield] Port question

Tony Carothers tony.carothers at lifestreamtech.com
Thu Aug 16 22:15:14 GMT 2001


This sounds very similar to a COM+ Application, they typically use ports >
1024.
-----Original Message-----
From: Jonathan G. Lampe [mailto:jonathan at stdnet.com]
Sent: Thursday, August 16, 2001 13:12
To: dshield at dshield.org
Subject: Re: [Dshield] Port question


This might be one of those old stimulus-response puzzles...  ports 1033-1035
are in order and close to port 1024.  The traffic you see might be the
result of something coming FROM your network, hitting a remote server which
(may/is) not able to return its packets into your network.  (An abruptly
terminated connection initiated from within your network could EASILY cause
this kind of traffic.)   

The BIG question in this case: What is the source port of these packets?

- Jonathan Lampe, Standard Networks, Inc, 608.227.6100, jonathan at stdnet.com

P.S. You didn't say what kind of router you have or whether the attempts
were TCP/UDP/etc, but I've seen Cisco's with the firewall feature set NOT
report "stimulus" outbound UDP packets which trigger offending "response"
inbound packets.

P.P.S. Here's some basic info about the IP... (it's not a hardwired web
server)

...from whois.arin.net               
Manoa Innovation Center (NET-MIC) MIC            167.216.0.0 -
167.216.255.255
Digital Island, Inc. (NETBLK-MIC-DIGISLE-D) MIC-DIGISLE-D
                                               167.216.176.0 -
167.216.191.255

Digital Island, Inc. (NETBLK-MIC-DIGISLE-D) 45 Fremont St, Suite 1200 San
Francisco, CA 94105 US Netname: MIC-DIGISLE-D Netblock: 167.216.176.0 -
167.216.191.255 Maintainer: DIIS Coordinator: Digital Island, Inc. 45
Fremont Street (NR-ORG-ARIN) netreg at digisle.net 415.228.4100Fax-
415.228.4141 Record last updated on 31-May-2000. Database last updated on
15-Aug-2001 23:05:40 EDT. 

At 12:28 PM 8/16/2001, you wrote:


Lately I've been seeing repeated attempts to reach ports 1033, 1034 and 1035
on my router. They're all coming from 167.216.187.186. What kind of probe is
this? I can't find this port as signifying anything.

Thanks,
dave

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
<http://www1.dshield.org/mailman/listinfo/dshield>  

_______________________________________________ Dshield mailing list
Dshield at dshield.org To change your subscription options (or unsubscribe),
see: http://www1.dshield.org/mailman/listinfo/dshield
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20010816/39eb5ae2/attachment.htm


More information about the list mailing list