Security Incidents mailing list archives

Re: Large increase in port 32772 activity

From: Jeff Kell <jeff-kell () utc edu>
Date: Mon, 29 Dec 2003 14:00:38 -0500

Christopher Harrington wrote:

All,

Several of our customers are seeing very significant increase in port
32772 activity. They are single packets of which I do not have the size.
One customer had over 1500 different hosts sending a single packet to
32772 in a 6 hour period. The vast majority of those hosts were probably
zombies since they were Verizon DSL, Comcast, AT&T ip addresses. I know
spammers look for 32772 to be open because Checkpoint can use this port

for SMTP.

Ports 32770-32789 are technically "RPC Loopback" ports. Quoting fromthe SANS recommendations "Block the RPC portmapper, port 111 (TCP andUDP) and Windows RPC, port 135 (TCP and UDP), at the border router orfirewall. Block the RPC "loopback" ports, 32770-32789 (TCP and UDP).

See http://www.sans.org/top20/.

However, I have found that many default versions of BIND will also usethese as ephemeral ports when querying another name server. For this

purpose we allow 32770-32789 -> 53.

Jeff


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Large increase in port 32772 activity Christopher Harrington (Dec 29)
- Re: Large increase in port 32772 activity Jeff Kell (Dec 29)