FAQ: Firewall Forensics (What am I seeing?)
This document explains what you see in firewall logs, especially what port numbers
means. You can use this information to help figure out what hackers are up to.
This document is intended for both security-experts maintaining corporate firewalls
as well as home users of personal firewalls.
0. Information about this FAQ
Version 0.4.1, June 20, 2000
Copyright 1998-2000 by Robert Graham (mailto:email@example.com.
All rights reserved. This document may only be reproduced (whole or in part) for
non-commercial purposes. All reproductions must contain this copyright notice and must not
be altered, except by permission of the author.
Special thanks to Alan J. Rosenthal (maintainer of FAQs himself) for some really good
- 1. What does destination port
number ZZZZ mean?
GUIDE | source-ports | many-to-one
can't figure it out
- 2. What does this ICMP info
- 0 (echo
reply) | 3 (unreachable) | 4 (source
quench) | 8 (ping) | 11 (ttl
exceeded) 12 (problem)
- 3. What do these IP addresses
owner | 10.x.x.x | known IP
addresses | 0.0.0.0 | directed-broadcasts
- 4. Stuff doesn't work
- 5. What are some typical
signatures of well-known programs?
scanners | smurf | fraggle
- 7. What do these other logs
- 8. How do I configure
filters | split DNS
- 9. Packet Zen
- IP ID
- 10. What's the deal with
NetBIOS (UDP port 137)?
I'm not Win? | Statistics | Signature
rid of them? | Attacks
- A. Appendix
You'll note that some sections are missing. This is an evolving document; when
sections are removed (because the info is moved into other sections), I don't renumber the
1. What does destination port number ZZZZ mean?
All the traffic going through the firewall is part of a connection. A connection
consists of the pair of IP addresses that are talking to each other, as well a pair of port
numbers. The destination port number often indicates the type of service being
connected to. When a firewall blocks a connection, it will save the destination port
number to its logfile. This section describes some of the meanings of these port numbers.
numbers are divided into three ranges:
- The Well Known Ports are those from 0 through 1023. These are tightly bound to services,
and usually traffic on this port clearly indicates the protocol for that service. For
example, port 80 virtually always indicates HTTP traffic.
- The Registered Ports are those from 1024 through 49151. These are loosely bound to
services, which means that while there are numerous services "bound" to these
ports, these ports are likewise used for many other purposes. For example, most systems
start handing out dynamic ports starting around 1024.
- The Dynamic and/or Private Ports are those from 49152 through 65535. In theory, no
service should be assigned to these ports.
In reality, machines start assigning "dynamic" ports starting at 1024. We
also see strangeness, such as Sun starting their RPC ports at 32768.
Where to get a more complete list of port info:
- "Assigned Numbers" RFC, the official source for port assignments.
- Database of port numbers, hyper-linked to various exploits on those port numbers.
- On UNIX systems, the file
/etc/services contains a list of commonly used
UNIX port number assignments. On Windows NT, this file is located in
- Links back to the protocol specifications frequently.
- Pages describing various ports.
- TLSecurity's list of Trojans. Rather than a collection of rumors by other people, the
maintainers of this list claim to verify each and every port personally.
- Trojan Horse probes page.
1.1 What are some common incoming TCP/UDP probes against my
This section contains a list of common TCP and UDP port scans that people see against
their firewalls. Note: there is no such thing as an ICMP port. If you are
interested in interpreting ICMP data, look in section 2.
||Commonly used to help determine the operating system. This works because on some
systems, port 0 is "invalid" and will generate a different response when you
connect to it vs. a normal closed port. One typical scan uses a destination IP address of
0.0.0.0 and sets the ACK bit, with broadcast at the Ethernet layer.
||Indicates someone searching for SGI Irix machines. Irix is the only major vendor that
has implemented tcpmux, and it is enabled by default on Irix machines. Irix machines ship
with several default passwordless accounts, such as lp, guest, uucp, nuucp, demos, tutor,
diag, EZsetup, OutOfBox, and 4Dgifts. Many administrators forget to close these accounts
after installation. Therefore, hackers scan the Internet looking first for tcpmux, then
these accounts. [CA-95.15]
||You will see lots of these from people looking for fraggle
amplifiers sent to addresses of x.x.x.0 and x.x.x.255.
A common DoS attack is an echo-loop,
where the attacker forges a UDP from one machine and sends it to the other, then both
machines bounce packets off each other as fast as they can (see also chargen). [CA-96.01]
Another common thing seen is TCP connections to this port by DoubleClick. They use a
product called "Resonate Global Dispatch" that connects to this port on DNS
servers in order to locate the closest one.
Harvest/squid caches will send UDP echoes from port 3130. To quote: If the cache is
source_ping on, it also bounces a HIT reply off the original
host's UDP echo port. It can generate a lot of these packets.
||This is a UNIX service that will list all the running processes on a machine and who
started them. This gives an intruder a huge amount of information that might be used to
compromise the machine, such as indicating programs with known vulnerabilities or user
accounts. It is similar the contents that can be displayed with the UNIX "ps"
command. ICMP doesn't have ports; if you see something that says "ICMP port
11", you probably want ICMP type=11.
||This is a service that simply spits out characters. The UDP version will respond with
a packet containing garbage characters whenever a UDP packet is received. On a TCP
connection, it spits out a stream of garbage characters until the connection is closed.
Hackers can take advantage of IP spoofing for denial of service attacks. Forging UDP
packets between two chargen servers, or a chargen and echo can overload
links as the two servers attempt to infinitely bounce the traffic back and forth.
Likewise, the "fraggle"
DoS attack broadcasts a packet destined to this port with a forged victim address, and the
victim gets overloaded with all the responses. [CA-96.01]
||The most common attack you will see are hackers/crackers looking for "open
anonymous" FTP servers. These are servers with directories that can be written to and
read from. Hackers/crackers use these machines as way-points for transferring warez
(pirated programs) and pr0n (intentionally misspelled word to avoid search engines
classifying this document).
|TCP connections to this port might indicate a search for ssh, which has a
few exploitable features. Many versions using the RSAREF library can be
exploited if they are configured in a certain fashion. (Suggestion: run ssh on some other
Also note that the ssh package comes with a program called make-ssh-known-hosts
that will scan a domain
for ssh hosts. You will sometimes be scanned from innocent people running this
UDP (rather than TCP) packets directed at this port along with port 5632 indicate
a scan for pcAnywhere. The number 5632 is (hex) 0x1600, which byte-swapped is 0x0016,
which is 22 decimal.
||The intruder is looking for a remote login to UNIX. Most of the time intruders scan
for this port simply to find out more about what operating system is being used. In
addition, if the intruder finds passwords using some other technique, they will try the
||Spammers are looking for SMTP servers that allow them to "relay" spam. Since
spammers keep getting their accounts shut down, they use dial-ups to connect to high
bandwidth e-mail servers, and then send a single message to the relay with multiple
addresses. The relay then forwards to all the victims. SMTP servers (esp. sendmail)
are one of the favorite ways to break into systems because they must be exposed to the
Internet as a whole and e-mail routing is complex (complexity + exposure = vulnerability).
||DNS. Hackers/crackers may be attempting to do zone transfers (TCP), to spoof DNS
(UDP), or even hide other traffic since port 53 is frequently neither filtered nor logged
An important thing to note is that you will frequently see port 53 used
as the source UDP port. Stateless firewalls frequently allow such traffic on the
assumption that it is a response to a DNS query. Hackers are increasingly exploiting this
to pierce firewalls.
|67 and 68
|Bootp/DHCP over UDP. Firewalls hooked to DSL and cable-modem lines see a ton of these
sent to the broadcast address 255.255.255.255.
These machines are asking to for an address assignment from a DHCP server. You could
probably hack into them by giving them such an assignment and specifying yourself as the
local router, then execute a wide range of man-in-the-middle
attacks. The client requests configuration on a broadcast to port 68 (bootps). The server
broadcasts back the response to port 67 (bootpc). The response uses some type of broadcast
because the client doesn't yet have an IP address that can be sent to.
||(over UDP). Many servers support this protocol in conjunction with BOOTP in order to
download boot code to the system. However, they are frequently misconfigured to provide
any file from the system, such as password files. They can also be used to write files to
||Hackers are trying to:
||The utility "linuxconf"
provide easy administration of Linux boxen. It includes a web-enabled interface at port 98
through an integrated HTTP server. It has had a number of security issues. Some versions
root, trust the local network, create world-accessible files in /tmp, and a buffer
overflow in the LANG environment variable. Also, because it contains an integrated web
server, it may be vulnerable to many of the typical HTTP exploits (buffer overruns,
directory traversal using ../.., etc.).
||POP2 is not nearly as popular as POP3 (see below), but many servers support both (for
backwards compatibility). Many of the holes that can be exploited on POP3 can also be
exploited via the POP2 port on the same server.
||POP3 is used by clients accessing e-mail on their servers. POP3 services have many
well-known vulnerabilities. At least 20 implementations are vulnerable to a buffer
overflow in the username or password exchange (meaning that hackers can break in at this
stage before really logging in). There are other buffer overflows that can be executed
after successfully logging in.
|Sun RPC PortMapper/RPCBIND. Access to portmapper is the first step in scanning a
system looking for all the RPC services enabled, such as rpc.mountd, NFS, rpc.statd,
rpc.csmd, rpc.ttybd, amd, etc. If the intruder finds the appropriate service enabled, s/he
will then run an exploit against the port where the service is running.
Note that by
putting a logging daemon, IDS, or sniffer on the wire, you can find out what programs the
intruder is attempting to access in order to figure out exactly what is going on.
|This is a protocol that runs on many machines that identifies the user of a TCP
connection. In standard usage this reveals a LOT of information about a machine that
hackers can exploit. However, it used by a lot of services by loggers, especially FTP,
POP, IMAP, SMTP, and IRC servers. In general, if you have any clients accessing these
services through a firewall, you will see incoming connection attempts on this port. Note
that if you block this port, clients will perceive slow connections
to e-mail servers on the other side of the firewall. Many firewalls support sending back a
RST on the TCP connection as part of the blocking procedure, which will stop these slow
|Network News Transfer Protocol, carries USENET traffic. This is the port used when you
have a URL like news://comp.security.firewalls/.
Attempts on this port are usually by people hunting for open USENET servers. Most ISPs
restrict access to their news servers to only their customers. Open news servers allow
posting and reading from anybody, and are used to access newsgroups blocked by someone's
ISP, to post anonymously, or to post spam.
Update: @Home has started scanning
their subscribers to see if they are running USENET servers. They are doing this in order
to find these servers and close them before spammers can take advantage of them.
MS RPC end-point mapper
|Microsoft runs its DCE RPC end-point mapper for its DCOM services at this port.
has much the same functionality as port 111 for UNIX
systems. Services that use DCOM and/or RPC register their location with the end-point
mapper on the machine. When clients remotely connect to the machine, they query the
end-point mapper to find out where the service is. Likewise, hackers can scan the machine
on this port in order to find out such things as "is Exchange Server running on this
machine, and which version?".
This port is often hit in order to scan for services (for example, using the
"epdump" utility), but this port may also be attacked directly. Currently, there
are a few denial-of-service attacks that can be directed at this port.
|(UDP) This is the most common item seen by firewall
administrators and is perfectly normal. Please read the NetBIOS section
below for more details.
File and Print Sharing
|Incoming connections to this port are trying to reach NetBIOS/SMB, the protocols used
for Windows "File and Print Sharing" as well as SAMBA. People sharing their hard
disks on this port are probably the most common vulnerability on the Internet.
on this port were common at the beginning of 1999, but tapered off near the end. Now at
the start of year 2000, attempts on this port have picked up again. Several VBS (IE5
VisualBasic Scripting) worms have appeared that attempt to copy themselves on this port.
Therefore, it may be worms attempting to propagate on this port.
||Same security idea as POP3 above, numerous IMAP servers have buffer overflows that
allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm)
that would spread by compromising port 143, so a lot of scans on this port are actually
from innocent people who have already been compromised. IMAP exploits became popular when
RedHat enabled the service by default on its distributions. In fact, this may have been
the first widely scanned for exploit since the Morris Worm.
This port is also used for
IMAP2, but that version wasn't very popular.
Several people have noted attacks from port 0 to port 143, which appears to be from
some attack script.
||(UDP) A very common port that intruders probe for. SNMP allows for remote management
of devices. All the configuration and performance information is stored in a database that
can be retrieved or set via SNMP. Many managers mistakeningly leave this available on the
Internet. Crackers will first attempt to use the default passwords "public" and
"private" to access the system; they may then attempt to "crack" the
password by trying all combinations.
SNMP packets may be mistakenly directed at your
network. Windows machines running HP JetDirect remote management software uses SNMP, and
misconfigured machines are frequent. HP OBJECT IDENTIFIERs will be seen in the packets.
Newer versions of Win98 will use SNMP for name resolution; you will see packets broadcast
on local subnets (cable modem, DSL) looking up sysName and other info.
||Probably a misconfiguration.
||Numerous hacks may allow access to an X-Window console; it needs port 6000 open as
well in order to really succeed.
||Probably from UNIX machines on your DSL/cable-modem segment broadcasting who is logged
into their servers. These people are kindly giving you really interesting information that
you can use to hack into their systems.
|(UDP) If you are on a cable-modem or DSL VLAN, then you may see broadcasts to this
port. CORBA is an object-oriented remote procedure call (RPC) system. It is highly likely
that when you see these broadcasts, you can use the information to hack back into the
systems generating these broadcasts.
|See port 1524
for more info.
Some script kiddies feel they're contributing substantially to the
exploit programs by making a minor change from ingreslock to pcserver in
constant text... -- Alan J. Rosenthal.
||Linux mountd bug. This is a popular bug that people are scanning for. Most scans on
this port are UDP-based, but they are increasingly TCP-based (mountd runs on both ports
simultaneously). Note that mountd can run at any port (for which you must first do a
portmap lookup at port 111), it's just
that Linux defaulted to port 635 in much the same way that NFS universally runs at port 2049.
||Many people ask the question what this port is used for. The answer is that this is
the first port number in the dynamic range of ports. Many applications don't care what
port they use for a network connection, so they ask the operating system to assign the
"next freely available port". In point of fact, they as for port 0, but are
assigned one starting with port 1024. This means the first application on your system that
requests a dynamic port will be assigned port 1024. You can test this fact by booting your
computer, then in one window open a Telnet session, and in another window run
"netstat -a". You will see that the Telnet application has been assigned port
1024 for its end of the connection. As more applications request more and more dynamic
ports, the operating system will assign increasingly higher port numbers. Again, you can
watch this effect with 'netstat' as your browse the Internet with your web browser, as
each web-page requires a new connection.
||See port 1024.
||See port 1024.
||See port 1024.
||This protocol tunnels traffic through firewalls, allowing many people behind the
firewall access to the Internet through a single IP address. In theory, it should only
tunnel inside traffic out towards the Internet. However, it is frequently misconfigured
and allows hackers/crackers to tunnel their attacks inwards, or simply bounce through the
system to other Internet machines, masking their attacks as if they were coming from you.
WinGate, a popular Windows personal firewall, is frequently misconfigured this way. This
is often seen when joining IRC chatrooms.
||This is rarely probed by itself, but is almost always seen as part of the sscan script.
Horse (TCP). See the section on SubSeven for more
|Many attack scripts install a backdoor shell at this port (especially those against
Sun systems via holes in sendmail and RPC services like statd, ttdbserver, and cmsd). If
you've just installed your firewall and are seeing connection attempts on this port, then
this may be the cause. Try telnetting to the attempted machine in order to see if it
indeed comes up with a shell. Connections to port 600/pcserver also have this problem. [IN-99-04]
||The NFS program usually runs at this port. Normally, access to portmapper is
needed to find which port this service runs on, but since most installations run NFS on
this port, hackers/crackers can bypass portmapper and try
this port directly.
||This is the default port for the "squid" HTTP proxy. An attacker scanning
for this port is likely searching for a proxy server they can use to surf the Internet
anonymously. You may see scans for other proxies at the same time, such as at port
8000/8001/8080/8888. Another cause of scans at this port, for a similar reason, is when
users enter chatrooms. Others users (or the servers themselves) will attempt to check this
port to see if the user's machines supports proxying. See section 5.3 for more info.
||You may see lots of these, depending on the sort of segment you are on. When a user
opens pcAnywhere, it scans the local Class C range looking for potential agents.
Hackers/crackers also scan looking for open machines, so look at the source address to see
which it is. Some scans for pcAnywhere frequently also include a UDP packet to port 22. See dialup probes
for more info.
||This port is used separately from the SubSeven main port
to transfer data. One example where you might see this is when a master is controling a
slave on a dialup line, then the slave machine hangs up. Therefore, when someone else
dials-in at that IP address, they will see a continuous stream of connection attempts at
this port. more
||Clients receive incoming audio streams from servers on UDP ports in the range
6970-7170. This is setup by the outgoing control connection on TCP port 7070.
||The "PowWow" chat program from Tribal Voice. It allows users to open up
private chat connections with each other on this port. The program is very aggressive at
trying to establish the connection and will "camp" on the TCP port waiting for a
response. This causes a connection attempt at regular intervals like a heartbeat. This can
be seen by dial-up users who inherit IP addresses from somebody who was chatting with
other people: it will appear as if many different people are probing that port. The
protocol uses the letters "OPNG" as the first four bytes of its connection
||Outbound: This is seen on outbound connections. It is caused by users inside
the corporation who have installed shareware programs using the Conducent
"adbot" wrapper. This wrapper shows advertisements to users of the shareware. A
popular shareware program that uses this is PKware. Bill Royds mentions that
in his experience, you can block this outbound connection with no problem, but if you
block the IP addresses themselves, then the adbots can overload the link trying to reach
the servers by continually connecting many times per second.
The machines will attempt
to resolve the DNS name "ads.conducent.com", which resolve to the IP addresses:
These addresses are hosted by Exodus.
Horse (TCP). See the section on SubSeven for more
Horse (TCP). This is a commonly seen scan looking for systems compromised by this
|This number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T). Lots
of hacker/cracker backdoors run at this port, but the most important is Back Orifice. At
one time, this was by far the most popular scan on the Internet. These days, it's
popularity is waning and other remote access trojans are becoming popular.
||UDP traffic on this port is currently being seen due to the "Hack-a-tack"
RAT (Remote Access Trojan). This trojan includes a built-in scanner that scans from port
31790, so any packets FROM 31789 TO 317890 indicate a possible intrusion. (Port 31789 is
the control connection; port 31790 is the file transfer connection).
|32770 ~ 32900
||Sun Solaris puts most of its RPC services in this range. In particular, older versions
of Solaris (pre-2.5.1) put a portmapper in this
range, allowing hackers access to this even when low ports are blocked by a firewall.
Probes in this range might either be for this portmapper, or for known RPC services that can
|33434 - 33600
||If you see a series of UDP packets within this port range (and only within thisrange),
then it is probably indicative of traceroute. See traceroute for
||Inoculan on UDP. Older versions of Inoculan apparently generate huge quantities of UDP
traffic directed at subnets in order to discover each other. More info can be found at http://www.circlemud.org/~jelson/software/udpsend.html
Thanks to Jerry Leslie, NeoNET < leslie at clio dot rice dot edu>
1.2 What do the following source ports mean?
Ports 1-1024 are for reserved services, and almost never appear as the source. There are
some exceptions, such as when connections come from NAT machines. See section 1.9 for some
Ports closely after 1024 (i.e. 1024-5000) are the ones most commonly
seen. These are the "dynamic" range that are assigned to applications that don't
care what port they use for their connection.
||Ports 1-5 are indicative of a script called 'sscan'
||FTP servers usually transfer files from this port.
||DNS servers will send UDP responses from this port. You may also see TCP connections
with source/destination ports of 53.
||The (Simple) Network Time Protocol (S/NTP) servers run at this port. They will also
send broadcasts to this port.
||Quake (and Quake-derived games) usually run servers at these ports. Therefore, UDP
packet from this range (and to this range) will usually be games.
||Ports above 61000 might come from machines behind a Linux NAT server called "IP
1.3 I'm seeing attempts on the same set of ports from widely varying
sources all over the Internet.
This is due to a "decoy" scan, such as in 'nmap'. One of them is the attacker;
the others are not.
Forensics and protocol analysis can be used to track down who this
is. For example, if you ping each of the systems, you can match up the TTL fields in those
responses with the connection attempts. This will at least point a finger at a decoy scan.
(The TTLs should match; if not, then they are being spoofed). [Newer versions of scanner
now randomize the attackers own TTL, making it harder to weed them out].
You can also attempt to go back further in your logs, looking for all the decoy
addresses or people from the same subnets. You will often see that the attacker has
actually connected to you recently, while the decoyed addresses haven't.
The first stage of a Trojan Horse attack is to get the program on a user's machine.
Typical techniques are:
- post the program to newsgroups claiming to be some other program
- spam mailing lists with the attached program
- post program to websites
- send via instant messenger programs and chat systems (ICQ, AIM, IRC, etc.)
- forge e-mail from the ISP (like AOL) with a hoax message asking somebody to run a
program (such as a software update).
- copy to startup folder via "File and Print Sharing".
The next stage of the attack is to scan the Internet looking for machines that might be
compromised. The problem is that most of the techniques outlined above don't tell the
cracker/hacker where their victim machine is. Therefore, the cracker/hacker must scan the
Internet looking for the machines they might have compromised.
This leads the condition where owners of firewalls (including personal firewalls)
regularly see "probes" directed at their machines from crackers/hackers looking
for these machines. However, if the machine hasn't been compromised, then these probes are
not a problem. The probes cannot compromise the machine by themselves. Administrators can
usually ignore these "attacks".
Typical ports used by these probes are listed below. In order to tell if your machine
might be running one of these trojans, run the program "netstat -an" on your
machine. Look for the ports that might be "listening" for incoming connections.
Sub7 has become the most popular remote access trojan. At this time, it is the
easiest-to-use and most powerful trojan. The reasons for this are:
- It is actively maintained/updated. Most other Trojans were created once then development
stopped except for a couple of bug fixes.
- The program not only includes a scanner, but also can tell a slave machine to scan as
- The creator has a contest for cracked sites using Sub7.
- Supports "port redirection", so that any attack can be funneled through a
- Contains extensive tricks to play with ICQ, AOL IM, MSN Messenger, and Yahoo messenger,
including password sniffing, posting messages, and other features.
- Extensive UI tricks, such as flipping the screen, talking through the victim's speaker,
and spying on the victim's screen.
In short, it not only is an excellent hacking tool, the little "magic" tricks
are designed to scare the <bleep> out of victims.
Sub7 is written by a hacker who calls himself "Mobman". His site can be
reached at http://subseven.slak.org/.
Sub7 might use the following ports:
- The default connection port for older versions.
- Screen capture port
- Key logger port
- I'm not sure what this port is for, but it has been claimed that this can serve as a
"backdoor" in some versions. (Yes, a backdoor program with a backdoor to avoid
- Port for the "matrix" chat program
- Another default port appearing in v2.0
- Spy port
1.9 DNS packets from low numbered ports
Q: I've seen many DNS requests from many low port numbers below 1024. Aren't they
supposed to be reserved? Aren't they supposed to use 1024-65535 range?
A: These are coming from machines behind NAT firewalls. A NAT doesn't necessarily have the
concept of reserved port numbers. thanks to Ryan Russell Ryan.Russell at sybase dot com
Q: My filters reject incoming packets with source ports below 1024, so the DNS
lookups are failing.
A: Don't filter that way. Lots of firewalls have similar rules, but this is somewhat
"misguided" since hackers/crackers can forge whatever ports they want.
Q: Are these NAT firewalls doing it incorrectly?
A: Not in theory, but in practice it will result in failures. The "correct" way
would be more strictly control DNS traffic in any case (such as essentially
"proxying" DNS and forcing out through port 53).
Q: I thought DNS lookup was supposed to use a random source port above 1024?
A: In practice, your average DNS client will use a non-reserved port. However, a lot of
implementations use a source port of 53. In any case, the NAT issue is completely separate
because it completely changes the entire 'socket' (IP address + port combo).
1.10 Immediately upon dialing up to my
ISP, my personal firewall starts alarming me about probes against port X.
This is very common. The cause is that somebody hung up just before you dialed in and
your ISP assigned you the same IP address. You are now seeing the remnants of
communication with the previous person.
A typical example is chat programs. If
someone simply hangs up, then everyone who was chatting with that person will attempt to
still send traffic to them. Some programs take a long time to timeout. Typical programs
that show this behavior are PowWow and ICQ.
Another example is on-line, multiple games. You might see such traffic from gaming
providers like MPlayer, or maybe from unknown servers (Quake servers litter the Internet).
These games are typically UDP based, so there is no concept of a connection that can be
dropped. They also are quite aggressive at maintaining connections, in order to make a
good user experience. Some game ports that you might see are:
Another example is multimedia audio/visual. For example, RealAudio uses UDP ports in the
range of 6970-7170 for clients to receive audio streams.
Make sure that you carefully figure out the correct side of the connection. For
example, an ICQ server runs on port 4000, and the client chooses a random high-numbered
port. That means you will see UDP packets from port 4000 going to the random port. In
other words, don't go looking in a port database trying to figure what that random,
high-numbered port means. The significant port is the source.
trojan has a similar problem. It uses separate TCP connections for different services. If
the slave agent goes away, it will continue to create connection attempts to the slave
ports, especially at port 6776.
1.11 IRC servers are probing me.
One of the most popular applications is "chat", like IRC. One feature of chat
programs is that they reveal the IP address of the people you are chatting with. One
problem with chatrooms is that people enter the rooms "anonymously" and play
around, either by disrupting conversations with offtopic comments and flamebait, or by
"flooding" the servers or other clients in an attempt to kicked them off.
both servers and clients are implementing measures to stop "anonymous" use of
chatrooms. In particular, they check people entering chatrooms in order to see if they are
"proxying" through some other connection. The most popular of such probes is
SOCKS. The assumption is that if the IP address of where you are coming from supports
SOCKS, then it is possible that you have a completely separate machine and are only going
through the indicated machine in order to hide your true identity. Undernet's policy on
this can be found at http://help.undernet.org/proxyscan.
At the same time, crackers/hackers will scan people's machines in order to determine if
they are running some sort of server that can be bounced through. Again, by checking for
SOCKS, the attacker hopes to find somebody that has left SOCKS open, such as a home user
implementing connection sharing using SOCKS, but accidentally configured it so that
anybody on the Internet has access to it.
1.12 What are "remapped" ports?
A common technique is to remap ports to some other address. For example, whereas the
default port for HTTP is 80, many people remap it to another port, such as 8080 (hence,
this document could reside at http://www.robertgraham.com:8080/pubs/firewall-seen.html if
I were to remap the port).
Remapping is done under the theory that making the port
harder to find will make it more difficult for a hacker to exploit. Instead of simply
exploiting a well-known service at a well-known port, the hacker will have to port scan
Most port remapping is done at some variation of the original port. Therefore, most
HTTP ports are based upon a variation of the theme "80": 81, 88, 8000,
8080, 8888, and so forth. POP, which is originally at port 110 can often be
found at port 1100.
There are other statistically significant chosen numbers, like 12345, 23456, 34567,
etc. Many people also choose numbers that are well known for other reasons; 42, 69, 666,
31337, and so on. The recent proliferation of Remote Access Trojans (RATs) has resulted in
hackers/crackers choosing the same defaults for their programs. For example, NetBus
defaults to port 12345.
Blake R. Swopes points out that remapping is also done because on UNIX machines, your
server needs root privileges to listen on ports below 1024. If you don't have root level
access and want to run a web service, you will need to install it on a high-numbered port.
Likewise, some ISPs might firewall low-numbered ports, forcing you to remap even when you
own the entire machine.
1.13 I still can't figure out what somebody is trying to connect to
a port, what can I do?
Use netcat in order to setup a listening process. For port '1234', use:
netcat -L -p 1234
A lot of protocols will send data as the first part of the connection. By setting up
netcat listening on the port, you might be able to figure out what protocol that are
using. If you are lucky, the protocol in question will be HTTP, which will give you a
wealth of information that you can use to track down what is happening.
The "-L" option means to listen continuously. Normally, netcat would accept a
single connection, dump the contents, then exit. By adding this option, it will remain
running for multiple connections.
Whereas TCP and UDP carry data, ICMP contains purely control messages. Therefore,
ICMP messages cannot really be used to break into your machine. Hackers use ICMP messages
to attempt to scan networks, DoS machines, or
Some firewalls incorrectly label ICMP fields as "ports".
ICMP has no ports like TCP or UDP, but it does have two fields called "type" and
"code". While these fields serve completely unrelated purposes, the fact that
there are two of them have led to firewalls mislabeling them. For more on ICMP, please
read my Infosec Lexicon entry on ICMP .
The official reference for what ICMP Type/Code fields mean is found at http://www.isi.edu/in-notes/iana/assignments/icmp-parameters.
While that document describes the official meanings, this section describes what hackers
are trying to do. This section contains a brief summary at top, then more details
descriptions down below.
||A response to a ping.
||An indication back from a host or router that some packet did not reach its
||Route configuration problem or incorrectly specified IP address.
||It means that the router one hop before the desired host could not ARP the host.
||The server tells the client that nobody is listening at the port the client attempted
||Fragmentation Needed but DF set
||Important: If you are seeing these in your firewall reject logs, then you've
misconfigured your firewall. You should allow this packet to pass through, otherwise your
clients will see their TCP connections mysteriously hang.
||Congestion on the Internet.
||Somebody is trying to redirect your default router. This could be from a hacker trying
to execute a man-in-the-middle
against you by causing you to route through their own machine.
||There is exists a hack against Win9x and Solaris such that a hacker can DoS you by
redirecting your default router. A neighboring hacker can also do a man-in-the-middle
attack by directing you through his/her router.
||Time Exceeded In Transit
||It means that a packet never reached its target because something timed out.
||Router dropped the packet either because of a routing loop or maybe because of
||Fragment reassembly timeout
||The host dropped the packet because it didn't receive all the fragments.
||Something unusual is going on, and probably indicates an attack.