[Dshield] port scans 32769 to 33718

Johannes B. Ullrich jullrich at sans.org
Thu Dec 25 19:22:28 GMT 2003


What is the source port for these scans?

This port range (32000 and up) is used by some NAT devices to 
use for outbound traffic from the internal network.

So it could be that 
(1) you are using such a device, and the return traffic got
    blocked as it exceeded the timeout. In particular for UDP
    traffic this happens easily as the firewall / NAT router 
    usually just uses some arbitrary timeout to keep state for
    UDP

(2) someone behind a NAT device may be spoofing your IP address,
    and you are seeing the return packets. Again, UDP traffic
    is spoofed more easily then TCP.

If either is the case, I would expect that you see a source
port like 53, or another well known UDP port.

Not much you can do in either case. Only few firewalls/routers
allow adjusting the timeout. And in case '2', there is not much
at all that could be done on your end.


On Thu, 2003-12-25 at 13:46, Barton L. Phillips wrote:
> I received about 20 port scans in the range 32769 to 33717 or 33718 UDP 
> today. This is highly irregular. The scans are coming from many 
> different IP addresses. A sample of the IP addresses follows:
> 38.144.80.234, 66.250.59.83, 80.190.230.71, 137.118.60.88, 
> 152.20.240.35, 153.19.44.252, 194.85.132.210, 198.137.254.71 ...
> Has anyone else seen a larger than normal amount of port scans in this 
> range? And if so what is it?
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031225/064a693c/attachment.bin


More information about the list mailing list