Weird port scanning on my network

From: Jeff Franks (jfranks1970_at_charter.net)
Date: 02/03/05


Date: Thu, 3 Feb 2005 12:59:34 -0600

I have a Watchguard Firebox that has been logging some interesting activity
(to me at least). I am getting TONS of new traffic from pc's on my network
that is going to incremental ports. It's tcp traffic sending SYN packets,
so I'm assuming that its some sort of port scan, but not anything I have
seen before or anything I can find help for. I have scanned the pc's with
multiple antivirus software packages and have scanned them for Ad/Spyware
with 2 packages. Here is a section of my log entry. Any help is
appreciated. It may be nothing, but since this has started, my internet
speed has also dropped.

Notice that the source port is incrementing by 1. these ports are always
between 1000 and 4999. It hits port 80 as the destination port. Is this
normal for browsing activity?

thanks

jf

-------------------------------------
510298 01/12/05 14:44:19 n allow out eth1 44 tcp 20
128 10.0.0.44 63.210.164.25 2199 80 syn
(Filtered-HTTP)
510308 01/12/05 14:44:19 n allow out eth1 44 tcp 20
128 10.0.0.44 63.210.164.25 2200 80 syn
(Filtered-HTTP)
510318 01/12/05 14:44:19 n allow out eth1 44 tcp 20
128 10.0.0.44 63.210.164.25 2201 80 syn
(Filtered-HTTP)
510328 01/12/05 14:44:19 n allow out eth1 44 tcp 20
128 10.0.0.44 64.215.172.6 2202 80 syn
(Filtered-HTTP)
510338 01/12/05 14:44:19 n allow out eth1 44 tcp 20
128 10.0.0.44 64.215.172.6 2203 80 syn
(Filtered-HTTP)
510348 01/12/05 14:44:19 n allow out eth1 44 tcp 20
128 10.0.0.44 63.210.164.25 2204 80 syn
(Filtered-HTTP)
510418 01/12/05 14:44:19 n allow out eth1 44 tcp 20
128 10.0.0.44 64.215.172.6 2205 80 syn
(Filtered-HTTP)
510428 01/12/05 14:44:19 n allow out eth1 44 tcp 20
128 10.0.0.44 64.215.172.6 2206 80 syn
(Filtered-HTTP)
510748 01/12/05 14:44:20 n allow out eth1 44 tcp 20
128 10.0.0.44 216.109.126.57 2208 80 syn
(Filtered-HTTP)