[Dshield] Port 16387

Mike Yates myates at Washtechnical.com
Wed Mar 24 17:42:30 GMT 2004


----- Original Message ----- 
From: "Jonathan C. Webster" <jwebster03 at snet.net>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Tuesday, March 23, 2004 1:53 PM
Subject: Re: [Dshield] Port 16387


>
>
> Mike Yates wrote:
> > ----- Original Message ----- 
> > From: "John Sage" <jsage at finchhaven.com>
> >
> > Subject: Re: [Dshield] Port 16387
> >
> >
> >
> >>On Tue, Mar 23, 2004 at 01:44:32PM +0100, Stephane Grobety wrote:
> >>
> >>
> >>There are indications that the destination port, although *chosen*
> >>randomly or by some sort of algorithm related to the destination IP
> >>address, remains constant for a given destination IP address once
> >>chosen.
> >>
> >>I have only seen witty packets to my UDP:7141, for example..
> >
> >
> > But would 48 seperate inbounds (from all over the planet) be using the
same
> > target port for a given destination address?  This would imply either 1)
a
> > coordination or 2) a freak chance and I should buy a lottery ticket :-)
>
> Sure. Suppose the destination IP becomes the seed of a random number
generater with output scaled
> into the allowable port range.  I have seen that, when my ISP changed my
dynamic IP several times
> March 20, the destination port did change and for each of the probing
sources during my sometimes
> very short lease period of the IP.
>
>   Jonathan Webster

This would assume it's viral, which would "usually" target address blocks or
ranges, not a specific address.

The upside is it's slowing down (average 100 per minute) :-)




More information about the list mailing list