Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port 2979 Activity

From: Byron Sonne <blsonne () rogers com>
Date: Mon, 15 Mar 2004 13:28:46 -0500
I'm seeing a surge in TCP Port 2979 activity. I don't have accurate numbers as yet, but I can safely say I'm being scanned on that port no less than 30 times a minute. It seems to be a H.263 Video Streaming service (http://www.seifried.org/security/ports/2000/2979.html). Source IPs are random and not restricted to a particular block. Thoughts anyone ?
I would be wary of assuming that it has to be H263 just 'cos of the port number. I'd want to capture some of the traffic so I could take a better look inside and see what the stuff is. Port numbers are by no means exclusive to a particular protocol/application (although that would be nice if that were the case!).
As I don't know what your network architecture is I'm limited by what I can propose. For instance, I'm using NAT on my network and my IDS (well, the older one anyways) will often times indicate trojan or DDOS tool traffic is being detected. What it really turns out to be is that the port mapping aspect of NAT happens to temporarily pick a port that is used by those tools. So otherwise benign traffic can trigger false alarms. Mind you I'd rather have to wade through false alarms then no alarms at all.
So to sum it up: capture and analyze traffic, be aware of how your topology may affect results, and perhaps map out the questionable protocol flows. Get a good detailed picture of whats going on and that should help out alot. 

--

For Good, return Good. For Evil, return Justice.


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: