[Dshield] Ports 27015, 55000, 6881, 7008 and 65534

Sven Marten Czerwonka sven.marten.czerwonka at gmx.de
Thu Jan 5 17:34:09 GMT 2006

Jon R. Kibler wrote:

>A curiosity question... if you are reporting to DShield hits on any of the following ports: 
>	halflife        27015
>	(unknown)       55000
>	bittorrent      6881
>	afs3-update     7008
>	sbininitd       65534
>It would be real informative to everyone to know exactly what is going on. For the past couple of days, these ports have been among the top 10 ports (and for months, bittorrent has been in that group). However, unlike most ports where there are a large number of sources and and even larger number of targets, for these ports there are a modest number of sources and a trivial (< 50 most days) number of targets. 
>So if you are among the couple of dozen sites reporting getting whacked on these ports, can you please answer these questions?
>	Are these ports under attack -- DDoS?
>	If not, why are you attracting so much bogus traffic to these ports?
as far as bittorrent is concerned, I just had a look at my reports 
submitted to dshield.  Just looking at the logs of the last two month 
there are days when I blocked and reported up to 10000 packets of 
bittorrent traffic (both tcp and udp) in just four hour and then the 
number slowly went down and there are days I did not see a single hit on 
port 6881...  comparing this with the time at which I am disconnected 
and get an other IP (DSL-Dialup, disconnects every 24 hours) it looks as 
if it is clearly p2p afterglow... most likely the person who had my IP 
was heavily using Bittorrent... I don't think it to be any form of 
attack, just bad luck for me getting an IP that was used by someone 
"sharing" his files.

I suspect it is the same with halflife, but who knows...

Sven Marten Czerwonka
24106 Kiel

--- http://www.washbear-network.de ---

More information about the list mailing list