Port 1028

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have ports 1026 and 1027 blocked.  I don't remember why.  But I have
recently noticed probes on port 1028 UDP.  Does anyone know what it is?
The IP addresses are far away from mine.

Dec 22 07:08:30 -0700 SRC= DST= PROTO=UDP SPT=55169
Dec 22 07:15:44 -0700 SRC= DST= PROTO=UDP SPT=58980


Felix Tilley
MAJ, LARTvocate
Fanatic Legions

Re: Port 1028

Felix Tilley wrote:
Quoted text here. Click to load it

1028 is what comes after 1026 and 1027 when somebody starts counting at
1025.  Really.  Looking to the future, I predict 1029 will be next.

Re: Port 1028

On Thu, 22 Dec 2005 21:54:32 +0000, Allen Kistler shouted Hoy......

Quoted text here. Click to load it

Really? surely you must be jesting.

Dancin' in the ruins tonight
mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'
Tayo'y Mga Pinoy

Re: Port 1028

On Thu, 22 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article

Quoted text here. Click to load it

The "probes" are almost certainly windoze messenger spam - pop-up ads
saying something like


   Windows has found 39 CRITICAL SYSTEM ERRORS!

   To fix the errors please do the following:
   1. Download Registry Repair from: www.some.wankers.website
   2. Install Registry Repair
   3. Run Registry Repair
   4. Reboot your computer

The number of "CRITICAL" errors varied randomly from 20 to 99. This dire
news is obviously a concern - especially given that I haven't had a
windoze box in the house for 13+ years.

Quoted text here. Click to load it

Size not shown - should be something between 350 and 1000 octets. While the
address you show is CHINANET Shanghai province network, you should be aware
that UDP is connectionless, and the address may well be faked. In early
November, I logged this traffic on my home firewall for a week (average
about 1000 packets/day, 1/2 Meg/day, destination ports 1025 to 1031 in a
chopped bell shaped curve centered at 1026.65 std.dev = 0.975), and noted
about 3 percent of the traffic claimed to originate from IP addresses that
IANA hasn't allocated yet.  The spam-vertised web site was something newly
registered (in the preceding week) and the names changed several times
during the week. In my case, all the sites where hosted by a well known
spam support provider in the state of Washington. The registrations used
several registrars, and all appeared to be blatantly bogus data.

This is one case where ignoring the packets (ipfwadm/IPCHAINS = DENY,
iptables = DROP) is useful, as it reduces your traffic by some (small)
amount.  At work, we port translate _outbound_ traffic (mainly DNS queries)
out of the range 1025 to a higher number (say 1075) or so to higher port
numbers. This allows our upstream to drop _all_ inbound traffic in that
range. At roughly a half Meg a day per address, this traffic can add up to
a substantial number otherwise.

        Old guy

Site Timeline