Port 1028 - Security

This is a discussion on Port 1028 - Security ; I have ports 1026 and 1027 blocked. I don't remember why. But I have recently noticed probes on port 1028 UDP. Does anyone know what it is? The IP addresses are far away from mine. Dec 22 07:08:30 -0700 SRC=61.152.158.126 ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Port 1028

  1. Port 1028

    I have ports 1026 and 1027 blocked. I don't remember why. But I have
    recently noticed probes on port 1028 UDP. Does anyone know what it is?
    The IP addresses are far away from mine.


    Dec 22 07:08:30 -0700 SRC=61.152.158.126 DST=4.240.111.196 PROTO=UDP SPT=55169 DPT=1028
    Dec 22 07:15:44 -0700 SRC=61.152.158.126 DST=4.240.111.196 PROTO=UDP SPT=58980 DPT=1028


    --

    Felix Tilley
    MAJ, LARTvocate
    Fanatic Legions
    1-800-555-LART


  2. Re: Port 1028

    Felix Tilley wrote:
    > I have ports 1026 and 1027 blocked. I don't remember why. But I have
    > recently noticed probes on port 1028 UDP. Does anyone know what it is?
    > The IP addresses are far away from mine.
    >
    >
    > Dec 22 07:08:30 -0700 SRC=61.152.158.126 DST=4.240.111.196 PROTO=UDP SPT=55169 DPT=1028
    > Dec 22 07:15:44 -0700 SRC=61.152.158.126 DST=4.240.111.196 PROTO=UDP SPT=58980 DPT=1028


    1028 is what comes after 1026 and 1027 when somebody starts counting at
    1025. Really. Looking to the future, I predict 1029 will be next.

  3. Re: Port 1028

    On Thu, 22 Dec 2005 21:54:32 +0000, Allen Kistler shouted Hoy......

    >
    >
    > Felix Tilley wrote:
    >> I have ports 1026 and 1027 blocked. I don't remember why. But I have
    >> recently noticed probes on port 1028 UDP. Does anyone know what it is?
    >> The IP addresses are far away from mine.
    >>
    >>
    >> Dec 22 07:08:30 -0700 SRC=61.152.158.126 DST=4.240.111.196 PROTO=UDP SPT=55169 DPT=1028
    >> Dec 22 07:15:44 -0700 SRC=61.152.158.126 DST=4.240.111.196 PROTO=UDP SPT=58980 DPT=1028

    >
    > 1028 is what comes after 1026 and 1027 when somebody starts counting at
    > 1025. Really. Looking to the future, I predict 1029 will be next.


    Really? surely you must be jesting.

    --
    Dancin' in the ruins tonight
    mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'
    Tayo'y Mga Pinoy


  4. Re: Port 1028

    On Thu, 22 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
    , Felix Tilley wrote:

    >I have ports 1026 and 1027 blocked. I don't remember why. But I have
    >recently noticed probes on port 1028 UDP. Does anyone know what it is?
    >The IP addresses are far away from mine.


    The "probes" are almost certainly windoze messenger spam - pop-up ads
    saying something like

    System...
    User...
    STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

    Windows has found 39 CRITICAL SYSTEM ERRORS!

    To fix the errors please do the following:
    1. Download Registry Repair from: www.some.wankers.website
    2. Install Registry Repair
    3. Run Registry Repair
    4. Reboot your computer
    FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!

    The number of "CRITICAL" errors varied randomly from 20 to 99. This dire
    news is obviously a concern - especially given that I haven't had a
    windoze box in the house for 13+ years.

    >Dec 22 07:08:30 -0700 SRC=61.152.158.126 DST=4.240.111.196 PROTO=UDP
    >SPT=55169 DPT=1028


    Size not shown - should be something between 350 and 1000 octets. While the
    address you show is CHINANET Shanghai province network, you should be aware
    that UDP is connectionless, and the address may well be faked. In early
    November, I logged this traffic on my home firewall for a week (average
    about 1000 packets/day, 1/2 Meg/day, destination ports 1025 to 1031 in a
    chopped bell shaped curve centered at 1026.65 std.dev = 0.975), and noted
    about 3 percent of the traffic claimed to originate from IP addresses that
    IANA hasn't allocated yet. The spam-vertised web site was something newly
    registered (in the preceding week) and the names changed several times
    during the week. In my case, all the sites where hosted by a well known
    spam support provider in the state of Washington. The registrations used
    several registrars, and all appeared to be blatantly bogus data.

    This is one case where ignoring the packets (ipfwadm/IPCHAINS = DENY,
    iptables = DROP) is useful, as it reduces your traffic by some (small)
    amount. At work, we port translate _outbound_ traffic (mainly DNS queries)
    out of the range 1025 to a higher number (say 1075) or so to higher port
    numbers. This allows our upstream to drop _all_ inbound traffic in that
    range. At roughly a half Meg a day per address, this traffic can add up to
    a substantial number otherwise.

    Old guy

+ Reply to Thread