[Techtalk] port numbers

[R. Daneel Olivaw]

Hi there,

As already told here, the port you mention doesn't seem to belong to
any known network activity.

> I was just concerned about 800 hits over 30 hours. Is this normal?

I would try to monitor any outgoing traffic, that would match these
incoming hits (outgoing traffic to that IP, kinds of connections
always found before these packets, yes this is a Pain in the A-- but
that's network monitoring sometimes). Looks as if someone is calling out
and is awaiting an incoming connexion in return. FTP does that and some
other communications thingies do it (chat, videoconference, ...) Also,
try to know is these are directed hits (directed TO your IP) or
broadcasts (directed to something like 255.255.255.255). At last, we
still do not know if this is 'udp' or 'tcp', wich could point us to the
type of connexion trying to be established (maybe a router has lost his
paths and is sending you packets that do not belong to you), usually
media streams use udp, for instance.

Further diagnostic comes from the origin of the IP. If it is always the
same IP trying to connect, ban it with a 'reject' rule, for an hour, a
day, a week ... some bad programs retry connecting as long as they do
not get rejected properly (I know, I usually also drop packets silently
[grin]), at least, then, the sender program (yes, really, it cannot be
a human being :p) may be notified that it wont reach an end, and may
stop.

Now, if all this doesn't help, you may walk back the path to the IP,
try to find out the internet provider (abuse at ispdomain sometimes works).

If it goes on hitting your door, say, in a week or two (of clean and
plain rejection) then you may consider it as 'noise' ... ban that IP,
or at least, that port/IP pair so you don't get annoyed by useless
information.

Hope this helps a bit,

R. Daneel Olivaw,
The Human Robot Inside.