On Thu, Jun 05, 2003 at 10:02:53PM +0200, Christoph Haas wrote: > So most probably you see just the second. That's the way TCP works. > Sequential port numbers may show up because the counter of used > high-ports (1024 ff.) is just increased.
No, it's not at all uncommon to see incoming traffic from well known ports. It's an easy way to bypass weakly configured firewalls. Snort can detect such activity. Nmap can generate it using the -g flag. Here's what the nmap man page has to say about it: -g <portnumber> Sets the source port number used in scans. Many naive firewall and packet filter installations make an exception in their rule- set to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection. Obviously this completely subverts the security advantages of the firewall since intruders can just masquerade as FTP or DNS by modifying their source port. Obvi- ously for a UDP scan you should try 53 first and TCP scans should try 20 before 53. Note that this is only a request -- nmap will honor it only if and when it is able to. For example, you can't do TCP ISN sampling all from one host:port to one host:port, so nmap changes the source port even if you used -g. I see it all the time. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgp00000.pgp
Description: PGP signature