[Dshield] P2P Afterglow (Was: Question about DShield log parsing)

TRushing@hollandco.com TRushing at hollandco.com
Fri Jan 13 14:21:49 GMT 2006

>For example if you look at P2P traffic afterglow. 
>A couple of our top 10 ports are
>typically P2P traffic.

I've a question about P2P traffic.

I've been seeing an increase in inbound port 6346 on static IP addresses 
that have not changed for years.

For example, on my home DSL (static IP) account, here are weekly 6346 for 
the last month, with the most recent first:

Since Sunday 08 Jan:  338
Week of 01 Jan: 120
Week of 25 Dec: 13
Week of 18 Dec: 42
Week of 11 Dec: 27

IPs are scattered all over and it looks exactly like afterglow.  I'm 
seeing the same thing on some other static IP blocks too.

Did one of the P2P clients start scanning for peers to get away from any 
sort of central server?  Is there a vulnerability in a client that has 
just been released?


More information about the list mailing list