Re: Large increase in port 32772 activity
From: Jeff Kell (jeff-kell_at_utc.edu)
Date: 12/29/03
- Previous message: Christopher Harrington: "Large increase in port 32772 activity"
- In reply to: Christopher Harrington: "Large increase in port 32772 activity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Dec 2003 14:00:38 -0500 To: Christopher Harrington <cmh@nmi.net>, Incidents <incidents@securityfocus.com>
Christopher Harrington wrote:
> All,
>
> Several of our customers are seeing very significant increase in port
> 32772 activity. They are single packets of which I do not have the size.
> One customer had over 1500 different hosts sending a single packet to
> 32772 in a 6 hour period. The vast majority of those hosts were probably
> zombies since they were Verizon DSL, Comcast, AT&T ip addresses. I know
> spammers look for 32772 to be open because Checkpoint can use this port
> for SMTP.
Ports 32770-32789 are technically "RPC Loopback" ports. Quoting from
the SANS recommendations "Block the RPC portmapper, port 111 (TCP and
UDP) and Windows RPC, port 135 (TCP and UDP), at the border router or
firewall. Block the RPC "loopback" ports, 32770-32789 (TCP and UDP).
See http://www.sans.org/top20/.
However, I have found that many default versions of BIND will also use
these as ephemeral ports when querying another name server. For this
purpose we allow 32770-32789 -> 53.
Jeff
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Christopher Harrington: "Large increase in port 32772 activity"
- In reply to: Christopher Harrington: "Large increase in port 32772 activity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
