[Dshield] TCP Port 17300 scans increased

Tim Rushing dshield at threenorth.com
Thu Jul 25 20:22:34 GMT 2002

At 12:36 PM 7/25/02 -0700, you wrote:
>On Thu, 2002-07-25 at 10:56, Blake McNeill wrote:
> > Anyone else seeing an increase in TCP port 17300 scans starting yesterday?
> >
> > http://www.members.shaw.ca/mcneillb/images/July24k.gif
> >
> > http://www.members.shaw.ca/mcneillb/images/July24l.gif
>    http://www.dshield.org/port_report.php?port=17300
>Maybe we need to refine the port activity report to reduce these kinds
>of questions on the list - perhaps it would be useful to add the number
>of reporting sites to the report.
>John Hardin                                   <johnh at aproposretail.com>

Actually, it looks like the big scan on 17 July included roughly as many 
targets as total number of scans.  (see 
http://isc.incidents.org/port_details.html?port=17300).  The weirder thing 
on these numbers are the last two days which appear to include more sources 
than targets. Though, still quite a small number of targets/reports for all 

I've seen one 17300 scan on my dial up account, which primarily only gets a 
small number of nimda/code red and SQL Server scans--and not very many of 
those.  So, on my very small system, this definitely stands out:

Jul 24 22:50:47 guardian kernel: Packet log: input REJECT ppp0 PROTO=6 a.b.c.249:17300 L=48 S=0x00 I=37305 F=0x4000 T=109 SYN (#6)

I'm also not sure what the value of reducing questions like this to the 
list is.  I realize that on a list as diverse and open as this, there is 
going to be something to offend everyone.  (Personally, I'd prefer to get a 
possible false early warning of something new than a log posting of another 
SQLSnake or Nimda scan.  Yet, I still think there is some value to those 
posts.)  We've already seen that many people don't care for the discussion 
on personal firewalls.  So, I guess I just don't understand the problem 
with a post like this.

            ---Tim Rushing

More information about the list mailing list