[Dshield] Port question

Harty, Dave dharty at mcclainfinlon.com
Fri Aug 17 15:28:01 GMT 2001


Thanks for everyone's input. This is intriguing as the udp packets are now
hitting port 1027. Maybe Jonathan is correct in that something on my network
is asking for a response and my Cisco router is rejecting it. The times are
completely random however, all day and all night.

> ----------
> From: 	Tony Carothers
> Reply To: 	dshield at dshield.org
> Sent: 	Thursday, August 16, 2001 4:15 PM
> To: 	'dshield at dshield.org'
> Subject: 	RE: [Dshield] Port question
> 
> This sounds very similar to a COM+ Application, they typically use ports >
> 1024.
> -----Original Message-----
> From: Jonathan G. Lampe [mailto:jonathan at stdnet.com]
> Sent: Thursday, August 16, 2001 13:12
> To: dshield at dshield.org
> Subject: Re: [Dshield] Port question
> 
> 
> This might be one of those old stimulus-response puzzles...  ports
> 1033-1035 are in order and close to port 1024.  The traffic you see might
> be the result of something coming FROM your network, hitting a remote
> server which (may/is) not able to return its packets into your network.
> (An abruptly terminated connection initiated from within your network
> could EASILY cause this kind of traffic.)   
> 
> The BIG question in this case: What is the source port of these packets?
> 
> - Jonathan Lampe, Standard Networks, Inc, 608.227.6100,
> jonathan at stdnet.com
> 
> P.S. You didn't say what kind of router you have or whether the attempts
> were TCP/UDP/etc, but I've seen Cisco's with the firewall feature set NOT
> report "stimulus" outbound UDP packets which trigger offending "response"
> inbound packets.
> 
> P.P.S. Here's some basic info about the IP... (it's not a hardwired web
> server)
> 
> ...from whois.arin.net               
> Manoa Innovation Center (NET-MIC) MIC            167.216.0.0 -
> 167.216.255.255
> Digital Island, Inc. (NETBLK-MIC-DIGISLE-D) MIC-DIGISLE-D
>                                                167.216.176.0 -
> 167.216.191.255
> 
> Digital Island, Inc. (NETBLK-MIC-DIGISLE-D) 45 Fremont St, Suite 1200 San
> Francisco, CA 94105 US Netname: MIC-DIGISLE-D Netblock: 167.216.176.0 -
> 167.216.191.255 Maintainer: DIIS Coordinator: Digital Island, Inc. 45
> Fremont Street (NR-ORG-ARIN) netreg at digisle.net 415.228.4100Fax-
> 415.228.4141 Record last updated on 31-May-2000. Database last updated on
> 15-Aug-2001 23:05:40 EDT. 
> 
> At 12:28 PM 8/16/2001, you wrote:
> 
> 
> 	Lately I've been seeing repeated attempts to reach ports 1033, 1034
> and 1035
> 	on my router. They're all coming from 167.216.187.186. What kind of
> probe is
> 	this? I can't find this port as signifying anything.
> 
> 	Thanks,
> 	dave
> 
> 	_______________________________________________
> 	Dshield mailing list
> 	Dshield at dshield.org
> 	To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield 
> 
> _______________________________________________ Dshield mailing list
> Dshield at dshield.org To change your subscription options (or unsubscribe),
> see: http://www1.dshield.org/mailman/listinfo/dshield
> 




More information about the list mailing list