Port scanning concern
iceblink at seti.nl
Mon Nov 26 07:33:37 UTC 2012
On 2012-11-25 21:03, Gene Heskett wrote:
> On Sunday 25 November 2012 13:48:36 Tony Arnold did opine:
>> On 25/11/12 17:06, Jason P. wrote:
>> > El 25/11/12 17:35, Tony Arnold escribiأ³:
>> >> Jason,
>> >> I presume the DST=local_ip shows as a real local IP address
>> >> your router (e.g., 192.168.1.27)? And that you do not have any
>> >> forwarding on your router thaty could be relevant?
>> > You're right. local_ip is a real LAN IP adress. Port forwarding is
>> > irrelevant here.
>> >> It looks to me like return traffic from outgoing connections to
>> >> 220.127.116.11. The outgoing connection would be http so it would
>> >> connect on port 80/tcp. Return traffic would have a source port
>> >> (SPT) of 80 and a random high number destination port (DST).
>> > Does it make sense trying to connect in sequence apparently to
>> > ports? Other days port numbers are different, but always
>> > Normally 10 in a row or so.
>> Quite possibly. Each outgoing connection would have a destination
>> of 80 and a source port of some high number random port. Consecutive
>> connections could well use consecutive ports, thus the return
>> would have consecutive destination ports as you are seeing.
>> It's also unlike that any malware would be scanning your machine
>> with a
>> source port of 80! Besides, such scanning should not get through
> Slight correction here, incoming port 80 would not get past his ISP.
> had several internet providers over the last 20 years, and even in
> baud dialup days no incoming port 80 gets past the ISP so they're
> the conventional folks to use their web server farm, which of course
> YOUR web page up with THEIR advertising.
Maybe in your location. Over here all providers allow you to have your
own server at home doing whatever you want to do, on whatever port you
like. They just limit the uploading bandwidth or data usage (or both).
More information about the ubuntu-users