Port scanning concern

Mon Nov 26 08:12:41 UTC 2012

On Monday 26 November 2012 02:57:23 Patrick Asselman did opine:

> On 2012-11-25 21:03, Gene Heskett wrote:
> > On Sunday 25 November 2012 13:48:36 Tony Arnold did opine:
> >> Jason,
> >> 
> >> On 25/11/12 17:06, Jason P. wrote:
> >> > El 25/11/12 17:35, Tony Arnold escribiط£آ³:
> >> >> Jason,
> >> >> 
> >> >> I presume the DST=local_ip shows as a real local IP address
> >> 
> >> behind
> >> 
> >> >> your router (e.g., 192.168.1.27)? And that you do not have any
> >> 
> >> port
> >> 
> >> >> forwarding on your router thaty could be relevant?
> >> > 
> >> > You're right. local_ip is a real LAN IP adress. Port forwarding is
> >> > irrelevant here.
> >> > 
> >> >> It looks to me like return traffic from outgoing connections to
> >> >> 88.191.127.22. The outgoing connection would be http so it would
> >> >> connect on port 80/tcp. Return traffic would have a source port
> >> >> (SPT) of 80 and a random high number destination port (DST).
> >> > 
> >> > Does it make sense trying to connect in sequence apparently to
> >> 
> >> random
> >> 
> >> > ports? Other days port numbers are different, but always
> >> 
> >> consecutives.
> >> 
> >> > Normally 10 in a row or so.
> >> 
> >> Quite possibly. Each outgoing connection would have a destination
> >> port
> >> of 80 and a source port of some high number random port. Consecutive
> >> connections could well use consecutive ports, thus the return
> >> traffic
> >> would have consecutive destination ports as you are seeing.
> >> 
> >> It's also unlike that any malware would be scanning your machine
> >> with a
> >> source port of 80! Besides, such scanning should not get through
> >> your
> >> router.
> > 
> > Slight correction here, incoming port 80 would not get past his ISP.
> > I've
> > had several internet providers over the last 20 years, and even in
> > 2400
> > baud dialup days no incoming port 80 gets past the ISP so they're
> > forcing
> > the conventional folks to use their web server farm, which of course
> > loads
> > YOUR web page up with THEIR advertising.
> 
> Maybe in your location.

This is the US, with its toothless FCC, who are, and have been for 35 
years, for sale to the highest bidder as far as the telecoms are concerned.
Heck, I've had a 1st Phone ticket since '62, but they sold us down the 
river about 30 years back & no one at the commission today even knows what 
a 1st Phone was.  I am also a C.E.T., a considerably harder test, so when I 
want to impress the frogs, that is the card I flip out.

> Over here all providers allow you to have your
> own server at home doing whatever you want to do, on whatever port you
> like. They just limit the uploading bandwidth or data usage (or both).

Which is why if you check the sig, its not on port 80.  No advertising, 
just me, blowing my own horn basically.  I should smunch that picture so it 
loads faster, but its been there since mid 2004 without many complaints.

> Best regards,
> Patrick Asselman

Cheers Patrick, Gene
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
My web page: <http://coyoteden.dyndns-free.com:85/gene> is up!
Stupidity got us into this mess -- why can't it get us out?