On 14/04/10 19:07:37, Srdjan Todorovic wrote:
Hi,
On 14 April 2010 18:49, Barry Samuels bjsamuels@beenthere-donethat.org.uk wrote:
Can anyone suggest what traffic coming in to port 53662 might be? It originates from a number of different IP addresses.
Can you run tcpdump and capture the packets? What protocol is it?
Some references to that port from different sources are mentioned in some Snort mailing list threads that mention a possible NOP sled attack.
Srdjan
21:14:22.990731 IP dataman1.home.net.53662 > 229.185.249.62.customer.cdi.no.3625: UDP, length 33
21:14:22.990768 IP dataman1.home.net.53662 > c-71-192-110-50.hsd1.ma.comcast.net.16876: UDP, length 32
21:14:23.083431 IP 229.185.249.62.customer.cdi.no.3625 > dataman1.home.net.53662: UDP, length 18
21:14:23.135477 IP c-71-192-110-50.hsd1.ma.comcast.net.16876 > dataman1.home.net.53662: UDP, length 19
Those few lines make me think that my machine is sending out on that port first and getting a reply back on the same port later. Would that be a correct interpretation?