Security Incidents mailing list archives

RE: Question about port scans

From: "Milliken, Larry" <lmilliken () uslec com>
Date: Wed, 13 Jun 2001 11:43:54 -0400

Correct about the source port being 53..The source address is 212.67.33.15..

-----Original Message-----
From: Christopher L. Morrow [mailto:chris () UU NET]
Sent: Wednesday, June 13, 2001 11:38 AM
To: Milliken, Larry
Cc: incidents () securityfocus com
Subject: Re: Question about port scans

On Wed, 13 Jun 2001, Milliken, Larry wrote:

I have a number of port scans in my log for port 42484.  I cannot find any
info on trojans/viruses on this..Does anyone know what uses this port?


You'll notice that the 'source' port for this is 53 and it's TCP, eh? and
the source address is: 213.68.200.20, eh? I captured a few of these
packets all were resets.... so I assumed this host was being flooded and
the traffic I saw was 'backscatter'.

Looking at the logs I have for this I do notice that the hosts are being
hit almost sequentially which is strange for most flooders are more random
than this :(

Current thread:

Question about port scans Milliken, Larry (Jun 13)
- Re: Question about port scans Christopher L. Morrow (Jun 13)
- <Possible follow-ups>
- RE: Question about port scans Milliken, Larry (Jun 13)