[Dshield] Random source port from my network to port 80 on ta rget network

Louis Hablas Lou.Hablas at rzim.org
Thu Oct 30 19:50:28 GMT 2003


Thanks for the quick reply...I figured as much, but wanted to run by the
list in case I was missing something.  In all cases I've see so far, port on
my side is well north of 1024.



-----Original Message-----
From: John Sage [mailto:jsage at finchhaven.com]
Sent: Thursday, October 30, 2003 1:52 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Random source port from my network to port 80 on
target network


On Thu, Oct 30, 2003 at 10:21:48AM -0500, Louis Hablas wrote:
> Exhibit A: 
> 2003-10-23   20:49:13   external ip   65186   80   6

> 2003-10-23   20:49:48   external ip   65243   80   6
> Hello:
> I've noticed a few Dshield entries like these lately and am trying to
> understand what I'm seeing.  In this case, the destination IP address is
> Microsoft, so I feel certain the entry relates to Automatic Updates or
> other report back to the Mother Ship, but I'd appreciate any more
> insight/feedback from the list.

A TCP conversation between your local machine and a remote one (here,
something within in the Microsoft address space) will likely take
place on a port > 1024 on your end.

Granted, here the source ports of 65186 and 65243 are rather toward
the high limit of 65353 (or is it 65535?) but in and of itself that's
not necessarily troubling.

- John
"Most people don't type their own logfiles;  but, what do I care?"
John Sage: InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

The information contained in this message may be CONFIDENTIAL and is for the
intended addressee only.  Any unauthorized use, dissemination of the
information, or copying of this message is prohibited.  If you are not the
intended addressee, please notify the sender immediately and delete this

More information about the list mailing list