Results 1 to 3 of 3
Last night 24 unique IP addresses all tried to 'connect' to port 17071 (using the UDP protocol) on my server within the course of a minute. Each unique IP address ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 01-05-2009 #1
Curious log entries on DPT=17071
Last night 24 unique IP addresses all tried to 'connect' to port 17071 (using the UDP protocol) on my server within the course of a minute. Each unique IP address attempted between 9 and 18 times, giving a total of 242 attempts.
I ran `whois` on a couple of them, and it seems their origins are rather scattered around the world. The first thing that came to mind was that I had ran something like Limewire without making an exception in my firewall. That has about the same effect. But I didn't run anything at that time and sure no p2p client. Besides, it started and stopped and only took a minute.
I tried to get some info on what uses port 17071, but according to the IANA it is unassigned. I also double checked, but there's nothing running on that port on my side. At least, as far as I can tell.
Now I'm curious, what could such a sudden burst of attempts have been? If it was just one IP address it would not have concerned me much as that happens all the time (but not on that port), but these are 24 unique IP's coming from several different continents even in the course of a minute.
Two typical examples of log entries.
# anonymized: Jan 5 01:16:34 myserver kernel: HOSTILE_COUNTRY DROP IN=eth2 OUT= MAC=00:03:75:22:7d:64:13:1e:ca:20:12:05:08:00 SRC=96.229.xxx.xxx DST=62.108.xxx.xxx LEN=61 TOS=0x00 PREC=0x00 TTL=48 ID=63313 PROTO=UDP SPT=9345 DPT=17071 LEN=41 Jan 5 01:16:34 myserver kernel: UNMARKED_COUNTRY LOG IN=eth2 OUT= MAC=00:03:75:22:7d:64:13:1e:ca:20:12:05:08:00 SRC=75.53.xxx.xxx DST=62.108.xxx.xxx LEN=61 TOS=0x00 PREC=0x00 TTL=48 ID=63569 PROTO=UDP SPT=1345 DPT=17071 LEN=41Can't tell an OS by it's GUI
- 01-05-2009 #2
The chances that 24 different ip address all try to connect to the same un-open port at the same time is un-usual.
Here is my belief.
This is just one system probing your system for an open port. The reason you see 24 different ip address is to mask the real ip address of the system scanning your system.
By using 24 different ip addresses it is going to take you a lot longer to track them down. They are hiding themselves and by using 24 ip addresses it usually is a good chance that you will not catch them or figure out what the real ip address of the probing machine.
There is plenty of software out there that will allow you to probe a machine using many ip addresses to hide in. You could write your own script to do this also.
The adventure of a life time.
Linux User #296285
- 01-05-2009 #3
Ah yes, that makes sense. Clever. Thanks!Can't tell an OS by it's GUI