I let my router do some connection logging for me. One thing I set up was a DMZ that points to a non-existent IP on my LAN. So, any connection requests to ports I haven’t specifically forwarded go to a black hole, but are logged.
I see the occasional probe to various known ports, and once in awhile somebody will sit there and scan a whole bunch of ports. But, not anything that gets me worried.
Recently tho, I have been seeing a lot of probes aimed at port 32663. In looking at the IP addresses they originate from, they are all over the place (the globe), and really no duplicates. What is even more interesting is the port number for the origination. Just about all of them are showing port 53.
My router doesn’t log connections to DNS servers (which is what port 53 is used for), so maybe I’m not seeing everything. But, I don’t think I have anything here with some wild process playing with the internet.
Anyone have any idea what might be going on? (And, a search for what port 32663 might be used for turned up nothing!)
Yes, I appreciate that port is unassigned. But, why so many hits directed toward it? I get far more aimed at it than toward port 80, which would be for people scanning IP addresses to see if there was a web server at an address.
And, the port 53 from the originating end seems to be essentially fixed. Normally an outbound connect request here would be picking an unassigned port number, more or less at random — not a port address in that range that is assigned.
Since the source port is 53, I wonder if this is some sort of DNS attack. I’m assuming that most home routers assign a high, random source port number for outbound, masqueraded packets. So these could be legitimate DNS replies (though why would you be getting them from so many places?), or perhaps they are trying to guess the ports used by some routers to send fake DNS responses?