Re: TCP port 3218

[G.E.Fowler () LBORO AC UK (Graeme Fowler)]

On 14-Mar-2000 Boris Badenov wrote:
> People have begun probing this port on my firewall recently.
> I can't figure out what they're expecting to find tho': it's
> not in the IANA assigned ports or on any of the trojan ports
> lists I've seen.

If you really meant port 3128 and *not* 3218, it's someone scanning for
'squid' HTTP proxies.

Squid listens for client HTTP requests by default on port 3128. Open
HTTP proxies (ie. those without any client ACLs) can be a problem as
they can allow multiple-layer laundering of either TCP 'CONNECT'
requests or HTTP 'GET/HEAD/POST' requests. What this basically means is
that J.Random-Surfer in the USA (say) can make himself look like he's
in Mexico and get up to all sorts of Bad JuJu.

I'm involved with the management of a national caching system and in
the end we had to block external HTTP request access to our machines
(*not* using 3128 I hasten to add!) at the boundary routers on our
backbone network, simply due to the massive amount of unathorised use
they were getting.

Having said all that, if it really is 3218 then I have no idea at all :)

Graeme

--
Graeme Fowler
Network Officer, Infrastructure & Networks Group
Loughborough University Computing Services
+44 1509 228426