[Dshield] port scans 32769 to 33718
Johannes B. Ullrich
jullrich at sans.org
Thu Dec 25 19:22:28 GMT 2003
What is the source port for these scans?
This port range (32000 and up) is used by some NAT devices to
use for outbound traffic from the internal network.
So it could be that
(1) you are using such a device, and the return traffic got
blocked as it exceeded the timeout. In particular for UDP
traffic this happens easily as the firewall / NAT router
usually just uses some arbitrary timeout to keep state for
(2) someone behind a NAT device may be spoofing your IP address,
and you are seeing the return packets. Again, UDP traffic
is spoofed more easily then TCP.
If either is the case, I would expect that you see a source
port like 53, or another well known UDP port.
Not much you can do in either case. Only few firewalls/routers
allow adjusting the timeout. And in case '2', there is not much
at all that could be done on your end.
On Thu, 2003-12-25 at 13:46, Barton L. Phillips wrote:
> I received about 20 port scans in the range 32769 to 33717 or 33718 UDP
> today. This is highly irregular. The scans are coming from many
> different IP addresses. A sample of the IP addresses follows:
> 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206,
> 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199 ...
> Has anyone else seen a larger than normal amount of port scans in this
> range? And if so what is it?
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563
fax: (617) 786 1550 jullrich at sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031225/064a693c/attachment.bin
More information about the list