This is a local copy of http://www.robertgraham.com/pubs/firewall-seen.html.
The page may have changed since we made this copy. Click here for the original source page.


DIR Network Operations is not affiliated with the authors of this page nor responsible for its content.
FAQ: Firewall Forensics (What am I seeing?)

FAQ: Firewall Forensics (What am I seeing?)

This document explains what you see in firewall logs, especially what port numbers means. You can use this information to help figure out what hackers/worms are up to.

This document is intended for both security-experts maintaining corporate firewalls as well as home users of personal firewalls.

0. Information about this FAQ

Version 1.2.0, January, 2003
http://www.robertgraham.com/pubs/firewall-seen.html
Copyright 1998-2003 by Robert Graham (firewall-seen@robertgraham.com. Firewall Forensics FAQ
All rights reserved. Note that I care that people properly attribute this work but I don't care much of others profit by copying it.

Special thanks to Alan J. Rosenthal (maintainer of FAQs himself) for some really good input.

TOC

1. What does destination port number ZZZZ mean?
PORT GUIDE  | source-ports | many-to-one | trojans | DNS | IRC | remapping | still can't figure it out
2. What does this ICMP info mean?
0 (echo reply) | 3 (unreachable) | 4 (source quench) | 8 (ping) | 11 (ttl exceeded) 12 (problem)
3. What do these IP addresses indicate?
source-routing | 255.255.255.255 | track owner | 10.x.x.x | known IP addresses | 0.0.0.0 | directed-broadcasts | 169.254.x.x
4. Stuff doesn't work
slow connections
5. What are some typical signatures of well-known programs?
traceroute | sscan | proxy scanners | smurf | fraggle
7. What do these other logs mean?
DNS | HTTP | RPC | SMTP | identd
8. How do I configure filters?
ICMP filters | split DNS
9. Packet Zen
IP ID | TTL | Resources
10. What's the deal with NetBIOS (UDP port 137)?
What? | Why? | But I'm not Win? | Statistics | Signature | Get rid of them? | Attacks
A. Appendix
You'll note that some sections are missing. This is an evolving document; when sections are removed (because the info is moved into other sections), I don't renumber the document.

1. What does destination port number ZZZZ mean?

All the traffic going through the firewall is part of a connection. A connection consists of the pair of IP addresses that are talking to each other, as well a pair of port numbers that identify the protocol or service. The destination port number of the first packet often indicates the type of service being connected to. When a firewall blocks a connection, it will save the destination port number to its logfile. This section describes some of the meanings of these port numbers.

Port numbers are divided into three ranges:

In reality, machines start assigning "dynamic" ports starting at 1024. We also see strangeness, such as Sun starting their RPC ports at 32768.

Where to get a more complete list of port info:

ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers
"Assigned Numbers" RFC, the official source for port assignments.
http://advice.networkice.com/advice/Exploits/Ports/
Database of port numbers, hyper-linked to various exploits on those port numbers.
/etc/services
On UNIX systems, the file /etc/services contains a list of commonly used UNIX port number assignments. On Windows NT, this file is located in %systemroot%/system32/drivers/etc/services.
http://www.con.wesleyan.edu/~triemer/network/docservs.html
Links back to the protocol specifications frequently.
http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html
Frequently updated page by Richard Akerman with good/solid info.
http://www.tlsecurity.com/trojanh.htm
TLSecurity's list of Trojans. Rather than a collection of rumors by other people, the maintainers of this list claim to verify each and every port personally.
http://www.simovits.com/nyheter9902.html
Trojan Horse probes page.

1.1 What are some common incoming TCP/UDP probes against my firewall?

This section contains a list of common TCP and UDP port scans that people see against their firewalls. (Look in section 2 for ICMP info).
0 Commonly used to help determine the operating system. This works because on some systems, port 0 is "invalid" and will generate a different response when you connect to it vs. a normal closed port. One typical scan uses a destination IP address of 0.0.0.0 and sets the ACK bit, with broadcast at the Ethernet layer.
1tcpmux Indicates someone searching for SGI Irix machines. Irix is the only major vendor that has implemented tcpmux, and it is enabled by default on Irix machines. Irix machines ship with several default passwordless accounts, such as lp, guest, uucp, nuucp, demos, tutor, diag, EZsetup, OutOfBox, and 4Dgifts. Many administrators forget to close these accounts after installation. Therefore, hackers scan the Internet looking first for tcpmux, then these accounts. [ CA-1995-15 RFC 1078 ]
7Echo You will see lots of these from people looking for fraggle amplifiers sent to addresses of x.x.x.0 and x.x.x.255.

A common DoS attack is an echo-loop, where the attacker forges a UDP from one machine and sends it to the other, then both machines bounce packets off each other as fast as they can (see also chargen). [CA-96.01]

Another common thing seen is TCP connections to this port by DoubleClick. They use a product called "Resonate Global Dispatch" that connects to this port on DNS servers in order to locate the closest one.

Harvest/squid caches will send tbese UDP echoes from port 3130. To quote their document: If the cache is configured with source_ping on, it also bounces a HIT reply off the original host's UDP echo port. It can generate a lot of these packets.

11sysstat This is a UNIX service that will list all the running processes on a machine and who started them. This gives an intruder a huge amount of information that might be used to compromise the machine, such as indicating programs with known vulnerabilities or user accounts. It is similar the contents that can be displayed with the UNIX "ps" command. This service is usually disabled, scans for this don't expect to actually succeed most of the time.

Some people come here looking for ICMP port 11. To repeat: firewall logs are confusing, ICMP doesn't have ports; if you see something that says "ICMP port 11", you probably want ICMP type=11.

19chargen This is a service that simply spits out characters for testing purposes. The UDP version will respond with a packet containing garbage characters whenever a UDP packet is received. On a TCP connection, it spits out a stream of garbage characters until the connection is closed. Hackers can take advantage of IP spoofing for denial of service attacks. Forging UDP packets between two chargen servers, or a chargen and echo can overload links as the two servers attempt to infinitely bounce the traffic back and forth. Likewise, the "fraggle" DoS attack broadcasts a packet destined to this port with a forged victim address, and the victim gets overloaded with all the responses. [CA-96.01]
21FTP The most common attack you will see are hackers/crackers looking for "open anonymous" FTP servers. These are servers with directories that can be written to and read from. Hackers/crackers use these machines as way-points for transferring warez (pirated programs) and pr0n (intentionally misspelled word to avoid search engines classifying this document).

In early 2003, I occasionally see people trying to exploit the FTP server using a wide sprectrum of vulnerabilities. For example, I see them try several kinds of buffer-overflows.

22ssh
pcAnywhere		 SSH is a popular way to remotely run a command-prompt on systems, primarily UNIX systems. It provides secure authentication and encryption, so it is especially popular among security professionals. There is a commercial version by the company that originally created it, a popular open-source OpenSSH alternative, and many other compatible versions.

In 2002, numerous vulnerabilities in most all versions were discovered, exploited, and routinely scanned for. Many security professionals had their boxes compromised through SSH -- in many cases, SSH was the only service they had remotely reachable.

Also note that the ssh package comes with a program called make-ssh-known-hosts that will scan a domain for ssh hosts. You will sometimes be scanned from innocent people running this utility.

UDP (rather than TCP) packets directed at this port along with port 5632 indicate a scan for pcAnywhere. The number 5632 is (hex) 0x1600, which byte-swapped is 0x0016, which is 22 decimal.

[CA-2002-36] [CA-2002-18] [CA-2001-35] [CA-1999-15]

23Telnet Telnet is the most popular protocol for getting a remote command line.

The most common use by scanners is to get the "banner" that prompts the user for a login name. The banner tells a lot about system -- often the attacker isn't interested in actually exploiting Telnet as to figure out more about the system when attacking other ports.

As of 2002, most attackers are interested in finding network equipment such as switches and routers, especially Cisco equipment. When my honeypot gives them a command prompt, they spend more time trying out Cisco commands than they do things like "uname" to figure out what system they are running on.

Historically (and still common as of 2002), hackers look for Unix systems with default accounts. They will try a series of logon names and empty passwords. Since Unix systems have largely fixed this problem of default accounts, this has become a less popular attack.

25SMTP SMTP (Simple Mail Transfer Protocol) is the protocol that transfers virtuall all the world's e-mail.

Scans against this port are almost certain coming from spammers (and occasionally anti-spammers) looking for "open relays". An open relay is a mail server that will accept e-mail from anyone and forward it on. This allows the spammer to hide behind the relay, as well as take advantage of the fact that they can submit one e-mail with 20 recipients -- and the relay will do the job of sending copies to each recipient. This lowers the spammer's bandwidth costs.

Note that there continue to be vulnerabilities in mail servers themselves.

53DNS DNS (Domain Name Service) is a core Internet protocol; it translates names into Internet addresses (like a phonebook translates names into phone numbers). It is so important that when DNS servers go down, users usually think the Internet itself has gone down.

Ways of breaking into DNS servers are frequently discovered, such as the BIND exploit in 2002. The BIND (Berkeley Internet Name Daemon) is the most popular DNS server. Many UDP packets you see rejected by the firewall are looking for the name "version.bind", which will tell the hacker what version of BIND you are (hopefully) running, and therefore which exploits they can run to break into your service. If you put a vulnerable version of BIND on the Internet, it will likely be compromised in a few days.

DNS information tells the hacker a lot of about the intended victim. Rejected TCP attempts probably reflect a desire by the hacker to do a "zone transfer", which will list all the computers in your domain. Victims often name systems in ways that help hackers figure out what is going on, such as "cisco-rtr.example.com" or "payroll.example.com".

Since DNS is such an important protocol to the Internet, firewall administrators often allow port 53 when they shouldn't. They sacrifice security in order to get ease-of-use and reliability. This allows hackers to use port 53 for protocols other than DNS. An important thing to note is that you will frequently see port 53 used as the source UDP port. Stateless firewalls frequently allow such traffic on the assumption that it is a response to a DNS query. Hackers are increasingly exploiting this to pierce firewalls.

67 and 68bootp
DHCP		 DHCP (and the older version, BOOTP) are the protocols that assign your desktop computer an IP address.

Firewalls will see (and reject) a lot of DHCP requests from your local network. This is an interesting problem with cable and DSL modems, because they create "virtual" local networks including people in your nearby physical neighborhood. You can identify these local requests because they are not sent to you, but are are instead to what's called the "local broadcast" address: 255.255.255.255. These machines are asking to for an address assignment from a DHCP server. You could probably hack into them by giving them such an assignment and specifying yourself as the local router, then execute a wide range of man-in-the-middle attacks. The client requests configuration on a broadcast to port 68 (bootps). The server broadcasts back the response to port 67 (bootpc). The response uses some type of broadcast because the client doesn't yet have an IP address that can be sent to.

You rarely see attackers from remote parts of the Internet trying to exploit DHCP vulnerabilities.

As of 2003, an important exploit has been found in a DHCP service, so remote hackers may start scanning for this. [CA-2003-01]

69TFTP(over UDP). Many servers support this protocol in conjunction with BOOTP in order to download boot code to the system. However, they are frequently misconfigured to provide any file from the system, such as password files. They can also be used to write files to the system.
79finger Hackers are trying to:
80http Prior to 2003, I did not include an entry for this port. Presumably, you would know what port 80 meant without this guide having to tell you. However, a enormous number of worms infecting Windows and Unix systems are now using this port, so I am including it for worm discussion.
98linuxconf The utility "linuxconf" provide easy administration of Linux boxen. It includes a web-enabled interface at port 98 through an integrated HTTP server. It has had a number of security issues. Some versions are setuid root, trust the local network, create world-accessible files in /tmp, and a buffer overflow in the LANG environment variable. Also, because it contains an integrated web server, it may be vulnerable to many of the typical HTTP exploits (buffer overruns, directory traversal using ../.., etc.).
109POP2 POP2 is not nearly as popular as POP3 (see below), but many servers support both (for backwards compatibility). Many of the holes that can be exploited on POP3 can also be exploited via the POP2 port on the same server.
110POP3 POP3 is used by clients accessing e-mail on their servers. POP3 services have many well-known vulnerabilities. At least 20 implementations are vulnerable to a buffer overflow in the username or password exchange (meaning that hackers can break in at this stage before really logging in). There are other buffer overflows that can be executed after successfully logging in.
111sunrpc
portmap
rpcbind		Sun RPC PortMapper/RPCBIND. Access to portmapper is the first step in scanning a system looking for all the RPC services enabled, such as rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc. If the intruder finds the appropriate service enabled, s/he will then run an exploit against the port where the service is running.

Note that by putting a logging daemon, IDS, or sniffer on the wire, you can find out what programs the intruder is attempting to access in order to figure out exactly what is going on.

113identd
auth		 This is a protocol that runs on many machines that identifies the user of a TCP connection. In standard usage this reveals a LOT of information about a machine that hackers can exploit. However, it used by a lot of services by loggers, especially FTP, POP, IMAP, SMTP, and IRC servers. In general, if you have any clients accessing these services through a firewall, you will see incoming connection attempts on this port. Note that if you block this port, clients will perceive slow connections to e-mail servers on the other side of the firewall. Many firewalls support sending back a RST on the TCP connection as part of the blocking procedure, which will stop these slow connections.
119NNTP
news		Network News Transfer Protocol, carries USENET traffic. This is the port used when you have a URL like news://comp.security.firewalls. Attempts on this port are usually by people hunting for open USENET servers. Most ISPs restrict access to their news servers to only their customers. Open news servers allow posting and reading from anybody, and are used to access newsgroups blocked by someone's ISP, to post anonymously, or to post spam.

Update: @Home has started scanning their subscribers to see if they are running USENET servers. They are doing this in order to find these servers and close them before spammers can take advantage of them.

135loc-serv
MS RPC end-point mapper		 As of 2003, the most common reason you see port 135/udp is because of WinPopup/Messenger spam. This is a feature in Windows that allows system administrators to notify employees of unusual events, such as the network or file servers about to be rebooted. However, spammers have found a way to subvert this and use this mechanism to send popup messages on the victim's desktop.

Microsoft runs its DCE RPC end-point mapper for its DCOM services at this port. This has much the same functionality as port 111 for UNIX systems. Services that use DCOM and/or RPC register their location with the end-point mapper on the machine. When clients remotely connect to the machine, they query the end-point mapper to find out where the service is. Likewise, hackers can scan the machine on this port in order to find out such things as "is Exchange Server running on this machine, and which version?".

This port is often hit in order to scan for services (for example, using the "epdump" utility), but this port may also be attacked directly. Currently, there are a few denial-of-service attacks that can be directed at this port.

No RPC service except the endpoint mapper runs on this port, except that "broadcast" messages intended for other RPC services can be forwarded through this port.

137NetBIOS
name service
nbtstat		 (UDP) This is the most common item seen by firewall administrators and is perfectly normal. Please read the NetBIOS section below for more details.
139NetBIOS
File and Print Sharing		 Incoming connections to this port are trying to reach NetBIOS/SMB, the protocols used for Windows "File and Print Sharing" as well as SAMBA. People sharing their hard disks on this port are probably the most common vulnerability on the Internet.
2000
Attempts on this port were common at the beginning of 1999, but tapered off near the end. Now at the start of year 2000, attempts on this port have picked up again. Several VBS (IE5 VisualBasic Scripting) worms have appeared that attempt to copy themselves on this port. Therefore, it may be worms attempting to propagate on this port.
2001
In late 2001 and early 2002, the Nimda worm would share the C$ drive when it infected a machine. Many attempts against this port are from people scanning for drives left open by Nimda.
2002
In late 2002, the ALEVIR worm is propagating heavily throughout the Internet infecting Win95/Win98/WinMe machines. These have a bug that allows a hacker to connect to a password-protected share by using only the first character of a password, which is easy to guess. Most connection attempts to port 139 are from this worm.
future
WinXP is moving away from using port 139, more and more ISPs are blocking it.
143IMAP4 Same security idea as POP3 above, numerous IMAP servers have buffer overflows that allow compromise during the login. Note that for awhile, there was a Linux worm (admw0rm) that would spread by compromising port 143, so a lot of scans on this port are actually from innocent people who have already been compromised. IMAP exploits became popular when RedHat enabled the service by default on its distributions. In fact, this may have been the first widely scanned for exploit since the Morris Worm.

This port is also used for IMAP2, but that version wasn't very popular.

Several people have noted attacks from port 0 to port 143, which appears to be from some attack script.

161SNMP (UDP) A very common port that intruders probe for. SNMP allows for remote management of devices. All the configuration and performance information is stored in a database that can be retrieved or set via SNMP. Many managers mistakeningly leave this available on the Internet. Crackers will first attempt to use the default passwords "public" and "private" to access the system; they may then attempt to "crack" the password by trying all combinations.

SNMP packets may be mistakenly directed at your network. Windows machines running HP JetDirect remote management software uses SNMP, and misconfigured machines are frequent. HP OBJECT IDENTIFIERs will be seen in the packets. Newer versions of Win98 will use SNMP for name resolution; you will see packets broadcast on local subnets (cable modem, DSL) looking up sysName and other info.

In early 2002, a university in Finland released its "PROTOS" tool that demonstrated many flaws in popular SNMP implementations. These flaws had been known for more than a decade, but this was the first time security implications were shown for these flaws.

162SNMP trap Probably a misconfiguration.
177xdmcp Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well in order to really succeed.
445NetBIOS
File and Print Sharing		 See port 139 for more information.

In Windows 2000 and Windows XP, port 445 is essentially a duplicate of port 139. These ports are used for Micrsoft's file and printer sharing, remote registry access, named pipes services, and many MS-RPC services. The difference is that port 139 supports these services on top of NetBIOS, whereas port 445 gets rid of this middleman, supporting these services directly over TCP/IP.

Whereas many ISPs now filter port 139, many do not filter port 445. As of mid-2002, we are seeing more scans for port 445 as hackers learn to get around port 139 filters. In late 2002, we are seeing worms propogate via this port.

513rwho Probably from UNIX machines on your DSL/cable-modem segment broadcasting who is logged into their servers. These people are kindly giving you really interesting information that you can use to hack into their systems.
515lp
printer		 This is the standard protocol for remote printing on UNIX systems. Virtually every UNIX system from Sun Solaris to Linux will listen on this port. In addition, most laster printers support this protocol as well. There are widespread vulnerabilities on this port, due either to vulnerabilities in the protocol itself, or vulnerabilities in printer-specific drivers behind this port. The RedHat 7 LPRng bug was exploited by the Ramen worm in early 2001.

As of late 2002, this is one of the more common ports probed, both because of Linux worms propogating, but also from hackers looking for well-know vulnerabilities.

535CORBA
IIOP		 (UDP) If you are on a cable-modem or DSL VLAN, then you may see broadcasts to this port. CORBA is an object-oriented remote procedure call (RPC) system. It is highly likely that when you see these broadcasts, you can use the information to hack back into the systems generating these broadcasts. There are many exploits possible against this port, but as of August 2002, they haven't been reported to Bugtraq yet.
600pcserver
backdoor		 See port 1524 for more info.

Some script kiddies feel they're contributing substantially to the exploit programs by making a minor change from ingreslock to pcserver in constant text... -- Alan J. Rosenthal.

635mountd Linux mountd bug. This is a popular bug that people are scanning for. Most scans on this port are UDP-based, but they are increasingly TCP-based (mountd runs on both ports simultaneously). Note that mountd can run at any port (for which you must first do a portmap lookup at port 111), it's just that Linux defaulted to port 635 in much the same way that NFS universally runs at port 2049.
1024----- Many people ask the question what this port is used for. The answer is that this is the first port number in the dynamic range of ports. Many applications don't care what port they use for a network connection, so they ask the operating system to assign the "next freely available port". In point of fact, they as for port 0, but are assigned one starting with port 1024. This means the first application on your system that requests a dynamic port will be assigned port 1024. You can test this fact by booting your computer, then in one window open a Telnet session, and in another window run "netstat -a". You will see that the Telnet application has been assigned port 1024 for its end of the connection. As more applications request more and more dynamic ports, the operating system will assign increasingly higher port numbers. Again, you can watch this effect with 'netstat' as your browse the Internet with your web browser, as each web-page requires a new connection.
1025----- See port 1024.
1026----- See port 1024.
1027----- See port 1024.
1080SOCKS This protocol tunnels traffic through firewalls, allowing many people behind the firewall access to the Internet through a single IP address. In theory, it should only tunnel inside traffic out towards the Internet. However, it is frequently misconfigured and allows hackers/crackers to tunnel their attacks inwards, or simply bounce through the system to other Internet machines, masking their attacks as if they were coming from you. WinGate, a popular Windows personal firewall, is frequently misconfigured this way.

In the year 2000, much activity on this port was for the purpose of connecting to IRC chatrooms. Usually the goal was DoS the chatroom. For this reason, most IRC servers will not scan your machine for SOCKS out of self-defense: they want to make sure that you are a legitimate user and now somebody who left the SOCKS service running that a hacker is tunneling through.

In the year 2003, most of this activity is now by spammers. They are looking for SOCKS servers in order to funnel spam through. This hides the original source of the spam.

There are several websites that maintain lists of open SOCKS servers. In 2002, most of the scans I see were from people who maintain these lists.

1114SQL This is rarely probed by itself, but is almost always seen as part of the sscan script.
1243Sub-7Trojan Horse (TCP). See the section on SubSeven for more details.
1433MS SQL Microsoft runs its SQL database server on this port.

In the year 2002, several worms started exploiting this port. See section 11.2 for more information.

1434MS SQL Service Discovery Protocol worm Microsoft's SQL server uses this port for discovery of SQL services on the local LAN.

On January 26, 2003, the SQLslammer worm took down parts of the Internet in the early hours of the morning. It took advantage of a buffer overflow on this service. Administrators quickly respond by widely configuring packet filters throughout the Internet, so by the time many people woke up in the morning in the U.S., much of the problem had gone away. See section 11.3 for more info.

1524ingreslock
backdoor		 Many attack scripts install a backdoor shell at this port (especially those against Sun systems via holes in sendmail and RPC services like statd, ttdbserver, and cmsd). If you've just installed your firewall and are seeing connection attempts on this port, then this may be the cause. Try telnetting to the attempted machine in order to see if it indeed comes up with a shell. Connections to port 600/pcserver also have this problem. [IN-99-04]
2049NFS The NFS program usually runs at this port. Normally, access to portmapper is needed to find which port this service runs on, but since most installations run NFS on this port, hackers/crackers can bypass portmapper and try this port directly.
2766listen
npls		 Used by Sun Solaris boxes as a printer service, alternative to the standard printer on port 515. Exploit scripts against Solaris machines will frequently bind a shell to this port, similar to the ingreslock port. In particular, a well-known exploit against the snmpXdmid vulnerability left behind a shell on this port.
3128squid This is the default port for the "squid" HTTP proxy. An attacker scanning for this port is likely searching for a proxy server they can use to surf the Internet anonymously. You may see scans for other proxies at the same time, such as at port 8000/8001/8080/8888. Another cause of scans at this port, for a similar reason, is when users enter chatrooms. Others users (or the servers themselves) will attempt to check this port to see if the user's machines supports proxying. See section 5.3 for more info.
5632pcAnywhereYou may see lots of these, depending on the sort of segment you are on. When a user opens pcAnywhere, it scans the local Class C range looking for potential agents. Hackers/crackers also scan looking for open machines, so look at the source address to see which it is. Some scans for pcAnywhere frequently also include a UDP packet to port 22. See dialup probes for more info.
6776Sub7 artifact This port is used separately from the SubSeven main port to transfer data. One example where you might see this is when a master is controling a slave on a dialup line, then the slave machine hangs up. Therefore, when someone else dials-in at that IP address, they will see a continuous stream of connection attempts at this port. more on dialups
6970RealAudio Clients receive incoming audio streams from servers on UDP ports in the range 6970-7170. This is setup by the outgoing control connection on TCP port 7070.
13223PowWowThe "PowWow" chat program from Tribal Voice. It allows users to open up private chat connections with each other on this port. The program is very aggressive at trying to establish the connection and will "camp" on the TCP port waiting for a response. This causes a connection attempt at regular intervals like a heartbeat. This can be seen by dial-up users who inherit IP addresses from somebody who was chatting with other people: it will appear as if many different people are probing that port. The protocol uses the letters "OPNG" as the first four bytes of its connection attempt. more
17027Conducent Outbound: This is seen on outbound connections. It is caused by users inside the corporation who have installed shareware programs using the Conducent "adbot" wrapper. This wrapper shows advertisements to users of the shareware. A popular shareware program that uses this is PKware. Bill Royds mentions that in his experience, you can block this outbound connection with no problem, but if you block the IP addresses themselves, then the adbots can overload the link trying to reach the servers by continually connecting many times per second.

The machines will attempt to resolve the DNS name "ads.conducent.com", which resolve to the IP addresses:

216.33.210.40
216.33.199.77
216.33.199.80
216.33.199.81
216.33.210.41
These addresses are hosted by Exodus.

27374Sub-7Trojan Horse (TCP). See the section on SubSeven for more details.

Also used as a backdoor port left behind by exploit scripts, such as those in the Ramen worm. While some scans for this port may be due to SubSeven, others may be looking for a remote shell.

30100NetSphereTrojan Horse (TCP). This is a commonly seen scan looking for systems compromised by this trojan.
31337Back Orifice
"elite"		 This number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T). Lots of hacker/cracker backdoors run at this port, but the most important is Back Orifice. At one time, this was by far the most popular scan on the Internet. These days, it's popularity is waning and other remote access trojans are becoming popular.
31789Hack-a-tack UDP traffic on this port is currently being seen due to the "Hack-a-tack" RAT (Remote Access Trojan). This trojan includes a built-in scanner that scans from port 31790, so any packets FROM 31789 TO 317890 indicate a possible intrusion. (Port 31789 is the control connection; port 31790 is the file transfer connection).
32770 ~ 32900RPC services Sun Solaris puts most of its RPC services in this range. In particular, older versions of Solaris (pre-2.5.1) put a portmapper in this range, allowing hackers access to this even when low ports are blocked by a firewall. Probes in this range might either be for this portmapper, or for known RPC services that can be exploited.
33434 - 33600traceroute If you see a series of UDP packets within this port range (and only within thisrange), then it is probably indicative of traceroute. See traceroute for more info.
41508Inoculan Inoculan on UDP. Older versions of Inoculan apparently generate huge quantities of UDP traffic directed at subnets in order to discover each other. More info can be found at http://www.circlemud.org/~jelson/software/udpsend.html and http://www.ccd.bnl.gov/nss/tips/inoculan/index.html. Thanks to Jerry Leslie, NeoNET < leslie at clio dot rice dot edu>

1.2 What do the following source ports mean?

Ports 1-1024 are for reserved services, and almost never appear as the source. There are some exceptions, such as when connections come from NAT machines. See section 1.9 for some more details.

Ports closely after 1024 (i.e. 1024-5000) are the ones most commonly seen. These are the "dynamic" range that are assigned to applications that don't care what port they use for their connection.

ServerClientServiceDescription
1-5/tcpdynamicFTP Ports 1-5 are indicative of a script called 'sscan'
20/tcpdynamicFTP FTP servers usually transfer files from this port.
53dynamicFTP DNS servers will send UDP responses from this port. You may also see TCP connections with source/destination ports of 53.
123dynamicS/NTP The (Simple) Network Time Protocol (S/NTP) servers run at this port. They will also send broadcasts to this port.
27910-27961/udpdynamicQuake games Quake (and Quake-derived games) usually run servers at these ports. Therefore, UDP packet from this range (and to this range) will usually be games.
61000+dynamicFTP Ports above 61000 might come from machines behind a Linux NAT server called "IP Masquerade".

1.3 I'm seeing attempts on the same set of ports from widely varying sources all over the Internet.

This is due to a "decoy" scan, such as in 'nmap'. One of them is the attacker; the others are not.

Forensics and protocol analysis can be used to track down who this is. For example, if you ping each of the systems, you can match up the TTL fields in those responses with the connection attempts. This will at least point a finger at a decoy scan. (The TTLs should match; if not, then they are being spoofed). [Newer versions of scanner now randomize the attackers own TTL, making it harder to weed them out].

You can also attempt to go back further in your logs, looking for all the decoy addresses or people from the same subnets. You will often see that the attacker has actually connected to you recently, while the decoyed addresses haven't.

1.4 What are Trojan Horse probes?

The first stage of a Trojan Horse attack is to get the program on a user's machine. Typical techniques are:

The next stage of the attack is to scan the Internet looking for machines that might be compromised. The problem is that most of the techniques outlined above don't tell the cracker/hacker where their victim machine is. Therefore, the cracker/hacker must scan the Internet looking for the machines they might have compromised.

This leads the condition where owners of firewalls (including personal firewalls) regularly see "probes" directed at their machines from crackers/hackers looking for these machines. However, if the machine hasn't been compromised, then these probes are not a problem. The probes cannot compromise the machine by themselves. Administrators can usually ignore these "attacks".

Typical ports used by these probes are listed below. In order to tell if your machine might be running one of these trojans, run the program "netstat -an" on your machine. Look for the ports that might be "listening" for incoming connections.
PortTrojan
555phAse zero
1243Sub-7, SubSeven
3129Masters Paradise
6670DeepThroat
6711Sub-7, SubSeven
6969GateCrasher
21544GirlFriend
12345NetBus
23456EvilFtp
27374Sub-7, SubSeven
30100NetSphere
31789Hack'a'Tack
31337BackOrifice, and many others
50505Sockets de Troie
Resources: http://www.commodon.com/threat/threat-ports.htm

1.4.1 What is SubSeven (Sub-7) ?

Sub7 has become the most popular remote access trojan. At this time, it is the easiest-to-use and most powerful trojan. The reasons for this are:

In short, it not only is an excellent hacking tool, the little "magic" tricks are designed to scare the <bleep> out of victims.

Sub7 is written by a hacker who calls himself "Mobman". His site can be reached at http://subseven.slak.org/.

Sub7 might use the following ports:

1243
The default connection port for older versions.
2772
Screen capture port
2773
Key logger port
6711
???
6776
I'm not sure what this port is for, but it has been claimed that this can serve as a "backdoor" in some versions. (Yes, a backdoor program with a backdoor to avoid password prompts).
7215
Port for the "matrix" chat program
27374
Another default port appearing in v2.0
54283
Spy port

1.9 DNS packets from low numbered ports

Q: I've seen many DNS requests from many low port numbers below 1024. Aren't they supposed to be reserved? Aren't they supposed to use 1024-65535 range?
A: These are coming from machines behind NAT firewalls. A NAT doesn't necessarily have the concept of reserved port numbers. thanks to Ryan Russell Ryan.Russell at sybase dot com

Q: My filters reject incoming packets with source ports below 1024, so the DNS lookups are failing.
A: Don't filter that way. Lots of firewalls have similar rules, but this is somewhat "misguided" since hackers/crackers can forge whatever ports they want.

Q: Are these NAT firewalls doing it incorrectly?
A: Not in theory, but in practice it will result in failures. The "correct" way would be more strictly control DNS traffic in any case (such as essentially "proxying" DNS and forcing out through port 53).

Q: I thought DNS lookup was supposed to use a random source port above 1024?
A: In practice, your average DNS client will use a non-reserved port. However, a lot of implementations use a source port of 53. In any case, the NAT issue is completely separate because it completely changes the entire 'socket' (IP address + port combo).

1.11 IRC servers are probing me.

One of the most popular applications is "chat", like IRC. One feature of chat programs is that they reveal the IP address of the people you are chatting with. One problem with chatrooms is that people enter the rooms "anonymously" and play around, either by disrupting conversations with offtopic comments and flamebait, or by "flooding" the servers or other clients in an attempt to kicked them off.

Therefore, both servers and clients are implementing measures to stop "anonymous" use of chatrooms. In particular, they check people entering chatrooms in order to see if they are "proxying" through some other connection. The most popular of such probes is SOCKS. The assumption is that if the IP address of where you are coming from supports SOCKS, then it is possible that you have a completely separate machine and are only going through the indicated machine in order to hide your true identity. Undernet's policy on this can be found at http://help.undernet.org/proxyscan.

At the same time, crackers/hackers will scan people's machines in order to determine if they are running some sort of server that can be bounced through. Again, by checking for SOCKS, the attacker hopes to find somebody that has left SOCKS open, such as a home user implementing connection sharing using SOCKS, but accidentally configured it so that anybody on the Internet has access to it.

1.12 What are "remapped" ports?

A common technique is to remap ports to some other address. For example, whereas the default port for HTTP is 80, many people remap it to another port, such as 8080 (hence, this document could reside at http://www.robertgraham.com:8080/pubs/firewall-seen.html if I were to remap the port).

Remapping is done under the theory that making the port harder to find will make it more difficult for a hacker to exploit. Instead of simply exploiting a well-known service at a well-known port, the hacker will have to port scan the machine.

Most port remapping is done at some variation of the original port. Therefore, most HTTP ports are based upon a variation of the theme "80": 81, 88, 8000, 8080, 8888, and so forth. POP, which is originally at port 110 can often be found at port 1100.

There are other statistically significant chosen numbers, like 12345, 23456, 34567, etc. Many people also choose numbers that are well known for other reasons; 42, 69, 666, 31337, and so on. The recent proliferation of Remote Access Trojans (RATs) has resulted in hackers/crackers choosing the same defaults for their programs. For example, NetBus defaults to port 12345.

Blake R. Swopes points out that remapping is also done because on UNIX machines, your server needs root privileges to listen on ports below 1024. If you don't have root level access and want to run a web service, you will need to install it on a high-numbered port. Likewise, some ISPs might firewall low-numbered ports, forcing you to remap even when you own the entire machine.

1.13 I still can't figure out what somebody is trying to connect to a port, what can I do?

Use netcat in order to setup a listening process. For port '1234', use: 
netcat -L -p 1234
A lot of protocols will send data as the first part of the connection. By setting up netcat listening on the port, you might be able to figure out what protocol that are using. If you are lucky, the protocol in question will be HTTP, which will give you a wealth of information that you can use to track down what is happening.

The "-L" option means to listen continuously. Normally, netcat would accept a single connection, dump the contents, then exit. By adding this option, it will remain running for multiple connections.

2. ICMP

Whereas TCP and UDP carry data, ICMP contains purely control messages. Therefore, ICMP messages cannot really be used to break into your machine. Hackers use ICMP messages to attempt to scan networks, DoS machines, or redirect traffic.

Some firewalls (inaccurately) label ICMP fields as "ports". ICMP has no ports like TCP or UDP, but it does have two fields called "type" and "code". While these fields serve completely unrelated purposes, the fact that there are two of them have led to firewalls mislabeling them. Thus, you will see firewall logs that look like: 

REJECT proto=1 from=10.2.3.4:8 to=192.0.2.123:0
In reality, it should be represented like: 
REJECT proto=1 icmptype=8 icmpcode=0 from=10.2.3.4 to=192.0.2.123

For more on ICMP, please read my Infosec Lexicon entry on ICMP .

The official reference for what ICMP Type/Code fields mean is found at http://www.isi.edu/in-notes/iana/assignments/icmp-parameters. While that document describes the official meanings, this section describes what hackers are trying to do. This section contains a brief summary at top, then more details descriptions down below.

TypeCodeNameSummary
0*Echo Reply A response to a ping.
[more]
3*Destination Unreachable An indication back from a host or router that some packet did not reach its destination.
[more]
0Net Unreachable Route configuration problem or incorrectly specified IP address.
[more]
1Host Unreachable It means that the router one hop before the desired host could not ARP the host.
3Port unreachable The server tells the client that nobody is listening at the port the client attempted to contact.
[more]
4Fragmentation Needed but DF set Important: If you are seeing these in your firewall reject logs, then you've misconfigured your firewall. You should allow this packet to pass through, otherwise your clients will see their TCP connections mysteriously hang.
[more]
4*Source Quench Congestion on the Internet.
[more]
5*Redirect Somebody is trying to redirect your default router. This could be from a hacker trying to execute a man-in-the-middle against you by causing you to route through their own machine.
8*Echo Request Ping.
[more]
9*Router Advertisement There is exists a hack against Win9x and Solaris such that a hacker can DoS you by redirecting your default router. A neighboring hacker can also do a man-in-the-middle attack by directing you through his/her router.
11*Time Exceeded In Transit It means that a packet never reached its target because something timed out.
0TTL Exceeded Router dropped the packet either because of a routing loop or maybe because of a traceroute.
[more]
1Fragment reassembly timeout The host dropped the packet because it didn't receive all the fragments.
[more]
12*Parameter Problem Something unusual is going on, and probably indicates an attack.
[more]

2.0 Type = 0 (Echo Reply)

The sender is responding to a ping from your address. This could be because:
Someone's ping that person
Somebody behind the firewall is sending pings to the target.
Automated ping
Lots of applications use pings for various purposes, such as to see if their communication partner is alive, or to measure the response time. A big cause of this is VitalSign's Net.Medic, which sends pings of various sizes in order to measure link speed.
Decoy Ping Sweep
Somebody is using your IP address as a decoy in a ping sweep, so you are seeing the responses.
Covert-channel communications
Most network managers block incoming pings (type=8), but allow ping responses (type=0). Therefore, hackers have begun using ping replies as ways of bypassing firewalls. For example, in the massive DDoS attacks against Internet sites, commands could be imbedded in ping responses, and floods of responses were directed against the sites in order to clog their Internet connections.

2.3 Type = 3 (Destination Unreachable)

The exact code is important in the Unreachable packet.

Note that Unreachables sometimes play a part in defeating SYN floods. This means that if a host you are talking to is under SYN flood attack, you will not be able to reach them if you block incoming Unreachables.

In some cases, you will receive destination unreachable packets from hosts you have never heard of. The most common cause of this is a "decoy scan". An attacker is sending spoofed packets a target using possibly hundreds of source addresses, including one that is the real address. The hacker's theory is that the victim won't wade through all the decoys in order to pin them down.

The best way to solve this is to examine the actual packets as described below. Try to discover is the pattern looks like what one would see in a decoy scan. For example, look for alternating port numbers in TCP or UDP headers contained within the ICMP portion of the packet.

2.3.0 Type = 3, Code = 0 (Destination Net Unreachable)

No route to host A router tells the client that it does not know how to route to anything at all in the network range that includes the host the client is talking to. This indicates either the client chose the wrong IP address, or that routing tables are misconfigured somewhere. Note that sometimes you see the message "No route to host" on your own UNIX machine when your own routing tables are messed up, which is especially common when configuring point-to-point links.

2.3.3 Type = 3, Code = 3 (Destination Port Unreachable)

This packet is sent by a SERVER when a CLIENT tries to connect to a UDP port that isn't running. For example, if you try to send an SNMP packet to port 161, but the machine doesn't support the SNMP service, you will get back an ICMP Destination Port Unreachable packet.

Protocol Decode

The first thing to debug this problem is to check the port numbers within the packet. You probably need to use a sniffing utility as firewalls tend not to log the information. This technique relies upon the fact that ICMP messages include the IP and UDP headers of the original packet. Here is a hex dump of an ICMP unreachable: 

 00 00 BA 5E BA 11 00 60 97 07 C0 FF 08 00 45 00
 00 38 6F DF 00 00 80 01 B4 12 0A 00 01 0B 0A 00
 01 C9 03 03 C2 D2 00 00 00 00 45 00 00 47 07 F0
 00 00 80 11 1B E3 0A 00 01 C9 0A 00 01 0B 08 A7 
 79 19 00 33 B8 36
Where the bytes 03 03 are the type/code for the ICMP packet. The last 8 bytes of the packet are the original UDP header, which decodes as:
08A7
UDP Source Port = 2215
May be dynamically allocated, so no always important.
7919
UDP Destination Port = 31001
This is very important, it meant the person was originally attempting to contact a service on port 31001.
0033
UDP Length = 51
The length of the original UDP data might be important.
B836
UDP Checksum = 0xB836
The checksum may or may not be important

Analysis

Here are some reasons why you may be seeing this:

Decoy UDP Scans
Somebody may be scanning the person who sent you the ICMP packet. They are forging the source as one of your IP addresses. They will in reality forge lots of different source addresses so that they victim can't be sure who it really is. If you receive large numbers of these packets from the same source in a short time frame, then this is a likely bet. Check the UDP Destination Port field. If it is constantly changing, then this is a very likely scenario.
Stale DNS
A client may send a DNS request to your server, which takes a long time to resolve. By the time your DNS server responds, the client has already forgotten about you and closed the UDP port assigned to receive your response. Check the UDP Source Port field to see if it equals 53. If so, then this is a likely occurrence. Why does this happen? The server may be resolving a recursive query, but its own query packet was lost, so it had to time out and try again. By the time it gets back to the client, it has timed out. Many client applications (especially on Windows) do their own DNS resolution, meaning that they must create their own socket to do so. If they passed the request onto the OS, it is likely the OS would simply have left the socket open.
Multi-response DNS
Another variation is when the client receives multiple responses to the same request. It receives the first response, then closes the socket. Subsequent responses will be dropped. There other variations on this problem. A Sun machine connected with multiple NICs on the same Ethernet will assign both NICs the same MAC address, causing it to receive two copies of every frame, then send multiple responses. Likewise, a poorly written client program (it has been claimed that some DNS resolvers are multi-threaded, but not thread safe) sometimes send out multiple requests, then close the socket on the first response. However, there may be an attempt at DNS spoofing, where a hacker is attempting to corrupt the resolver's cache by sending both a recursive query and a response.
NetBIOS Resolution
If the receiver of the ICMP packets is a Windows machine, look to see if the UDP Destination Port is 137. In this case, the cause of this is the Windows system trying to execute the 'gethostbyaddr()' function, which attempts to resolve the IP address into a name using both DNS and NetBIOS. The DNS request gets sent to a DNS server somewhere (and not sent to the target), but the NetBIOS request gets sent directly to the target. If the target doesn't support NetBIOS, then it will send back an ICMP unreachable.
Traceroute
Most traceroute programs (with the exception of Windows tracert.exe) send UDP packets to closed ports. This causes a sequence of back-to-back ICMP Port Unreachable packets to be sent back to the machine doing the traceroute. Thus, if you are seeing these ICMP packets on your firewall, then somebody inside might be doing a traceroute. You may also see TTL exceeded as well.

2.3.4 Type = 3, Code = 4 (Fragmentation Needed and Don't Fragment was Set)

These are sent by routers attempting to forward IP datagrams that are marked "DF" (Don't Fragment).

Why? Both IP and TCP fragment data, but in different ways. TCP is vastly more efficient at fragmentation than IP. Therefore, stacks attempt to find the "Path MTU (Maximum Transmission Unit)". This ICMP message is sent during that process.

Let's consider ALICE talking to BOB. Both are on Ethernets (max frame size = 1500 bytes), but some intervening link limits the maximum IP packet size to 600 bytes. This means all IP packets sent will be fragmented by the routers on that link into 3 fragments. Since it is much more efficient to fragment at the TCP layer, the TCP stack will attempt to discover the MTU. It does this by setting the "DF" (Don't Fragment) bit in all its packets. As soon as it hits a router than cannot forward a packet that large, the router will send back this ICMP error message. From that, the TCP stack will know how to fragment correctly.

You should probably let these packets through the firewall. Otherwise, the intended recipient will have a hung connection as small packets get through to set up the connection, but the large packets are mysteriously dropped. A common result from this are people who see web pages that are only halfway returned.

Path MTU Discovery is becoming more and more integrated into communication. For example, IPsec needs this functionality.

2.4 Type = 4 (Source Quench)

These packets are supposed to be transmitted by routers/destination when traffic level exceeds a certain threshold. Many systems today, however, do not generate them. The reason is that we now believe that simple packet loss is the best indication of congestions (since the only reason packets are dropped, in practice, is congestion).

In general, the rules for source quenches are now (RFC 1122):

However, hosts still react to Source Quenches by slowing communication, so they can be used as a denial of service. Firewalls should filter these out. If a DoS is suspected, the source address of the packets will be meaningless, because the IP addresses are spoofed.

Source quenches have been known to be sent by some SMTP servers.

2.8 Type = 8 (Echo aka PING)

These are ping request packets. They are used all over the place; it may indicate hostile intent of someone trying to scan your computer, but it may be part of the normal network functionality. See Type = 0 (Echo Response) above for more info.

Lots of network management "scanners" will precede a scan using a special ping packet. These include ISS scanner, WhatsUp monitor, and others. This will be visible in the payload of the scanner. Most firewalls don't log this payload, so you may need to use some sort of sniffer to capture them or some time of Intrusion Detection System to flag them.

Note that blocking incoming PINGs does not mean a hacker can't scan the network. There are many other ways of doing this. For example, TCP ACK scanning becoming popular -- they usually get through the firewall, and they illicit a response from the target system.

Pings sent to broadcast IP addresses like x.x.x.0 or x.x.x.255 are probably attempts to use your network as a smurf amplifier.

2.11 Type = 11 (Time Exceeded In Transit)

This probably doesn't indicate an attack from a hacker/cracker.

2.11.0 Type = 11, Code = 0 (TTL Exceeded In Transit)

This can be caused by a number of things. If somebody from your site is doing traceroutes out to the Internet, you will see lots of TTL exceeded responses from routers. This is how traceroute works: forces the routers to generate TTL exceeded messages in order to find them.

Another common reason firewall administrators see this is due to routing loops developing in the Internet. Route flapping (constant route changes) is a common problem, and will often briefly result in a loop. This means that while a IP packet is heading towards it destination, the packet gets misrouted to a router that it previously visited it. The packet then gets routed in a circle infinitely -- or it would be, if the routers didn't decrement the TTL field each time and discard the packet once that value hit zero.

Another cause of this is distance. Many machines start with a default TTL of 127 (Windows) or even lower. Routers will often decrement the TTL more than by one in order to reflect slow lines like dialups or transcontinental links. Therefore, a site might not be reachable with a low initial TTL. In addition, some hackers/crackers like to make their site unreachable through this method.

2.11.1 Type = 11, Code = 1 (Fragment Reassembly Time Exceeded)

When sending fragmented IP datagrams, the sender of this message never received all the fragments. Normally, most TCP/IP traffic shouldn't even be fragmented. You will only see this if the traffic is both fragmented AND there congestion somewhere between you and the target.

2.12 Type = 12 (Parameter Problem)

This probably indicates an attack. There are a number of fingerprinting techniques that will generate these packets.

3. IP

3.1 What are source routed packets?

Source route is an option in the IP header that allows the sender to override some or all of the routing decisions. Normally, routers between the source and destination decide how to route the packet.

There are a couple of network management uses of this packet, such as testing to see if two computers can talk to each other. A network manager at point A may send a packet to B through point C. This tells A if B & C can talk to each other.

The same technique can be used to evade firewalls, subvert trust relationships, and communicate with machines using "private" address (10.x.x.x, 192.168.x.x, 172.[16-31].x.x).

Let's say you are a hacker/cracker on the Internet and you want to talk to some machines behind a firewall who use 10.x.x.x as their IP addresses. Since the routers on the Internet do not know where this subnet is located, they will drop your packets. However, you put a loose source route option in the IP packet and tell all the Internet routers to first forward to the firewall. Since the firewall straddles both the Internet and the private network, it will know how to forward the packet appropriately. Thus, you can carry on a conversation with the victim by bouncing all packets through the firewall.

This can be used with IP spoofing. You pretend to be a router (like the firewall mentioned above) and pretend that somebody else is bouncing packets through you. Thus, pick some random machine on the Internet (ALICE) as the spoofee, then send packets from ALICE to your victim BOB. BOB will think the packets are coming from ALICE, but in reality they are coming from you. This masks the real source of the attack.

This is even better if you know that BOB trusts ALICE. IP addresses are often used as part of authentication. Let's say the firewall has a rule allowing all traffic from ALICE into the network. By forging all IP packets to be from ALICE (but being source routed through your own machine), then you get free access to the victim network.

More and more core Internet routers are disabling source routed packets. They slow down routing anyway, but they are a huge security risk. There is also no real need for them. Managers should do the same and disable source routing everywhere: on firewalls, on routers, and even on end-nodes so that they won't even accept incoming source routed packets.

See Microsoft Knowledge Base article Q217336 for setting the "DisableIPSourceRouting" on WinNT SP5 systems

3.2 I'm seeing the IP address 255.255.255.255 in my reject log

This is happening a lot these days as more and more people use DSL or cable-modem connections. The reason is that unlike point-to-point connections (like T-1, frame relay, etc.), these new high-speed technologies drop you onto an ATM VLAN, which is a single broadcast domains. In fact, many cable-modem users are seeing multiple megabytes of traffic per day simply from such broadcasts.

You must remember that such packets MUST be local. Routers (generally) refuse to forward packets with the IP address of 255.255.255.255. This address is known as a "local broadcast" for this reason: it never travels past the local segment (or these days, the local "virtual" segment).

What are these packets for?

Check the list of ports at the top of this document. If it is not listed there, then the only way to figure this out is to capture them with a sniffer and view their contents.

For example, a common service that runs with a random port number is CORBA IIOP packets. Many services run at port 535, but it is frequently reconfigured to broadcast on other ports. If you look at the hex dump in the sniffer, you will see the letters "IIOP" somewhere in the contents.

In any case, this is rarely something to be concerned about. In fact, it advertises something about the person sending the traffic that can be used to hack them. Hackers rarely attack their own neighborhoods (because it is easy to detect), so it probably is accidental, not malicious.

It should be noted that with today's ATM networks, the source of the broadcast may not even be in the same state as you are; they may be hundreds of miles away. The word "local" means in terms of the network topology, not distance.

3.3 How do I track down the owner of an IP address?

Remember that IP addresses can be spoofed, so that the "owner" of an IP address may be innocent. Increasingly, attacks are coming from compromised machines. The owner of the IP may actually be grateful! Both of these statements come to the same conclusion: be polite and professional.

Many companies have established the e-mail address "abuse@example.com" (replace "example" with the proper company). This e-mail role is for both e-mail abuse (such as spam) as well as for network abuse. When you find the owner of the IP address, you should probably compose a message including the evidence of the attack.

Registrar Databases

In the past, all the IP address owners were kept by the Internic. A database built from that information is at http://ipindex.dragonstar.net/. There are now 3 official registrars for North America, Asia, and Europe. Unfortunately, you will have to query each individual database. However, if you start with the North America registrar, it will tell you if the address belongs to one of the other three. Warning: The returned information is fragile; so don't send flames to these people because you have only about 30% chance of reaching the right people.

America http://www.arin.net/whois/
ARIN (American Registry for Internet Numbers)
Europe http://www.ripe.net/db/whois.html
RIPE (Reseaux IP Europeens)
Asia and Pacific http://www.apnic.net/apnic-bin/whois.pl
APNIC (Asia Pacific Network Information Centre)
[more]
Japan http://www.nic.ad.jp/cgi-bin/whois_gw
JPNIC

Japanese English

traceroute

Running traceroute will often find at least the ISP who is hosting the IP address. A reverse DNS lookup on the actual IP address is easy to spoof, but the route to the machine will reveal who is hosting the possible intruder.

Common IP addresses

Many attacks are now coming from cable-modem subscribers in the 24.x.x.x range. These are probably from machines who have been compromised by a Remote Access Trojan (RAT). (While hackers/crackers frequently use dial-up lines because they don't care if their account gets canceled, few users want to have their cable-modem accounts canceled).

Another important range is the "private address" ranges of 10.x.x.x, 192.168.x.x, and 172.16.x.x-172.31.x.x. See 3.4 below.

Addresses like 127.x.x.x indicate "localhost" and should never be seen on the Internet.

The address range 192.0.2.x has been designated for "examples", like "example.com".

3.4 I'm seeing packets from "private" addresses (10.x.x.x et al.) on the Internet side of my firewall

The "private address" ranges are 10.x.x.x, 192.168.x.x, and 172.16.x.x-172.31.x.x. In theory, these cannot be routed on the Internet, which means that while you can use them internally to your network, they cannot leave your network. This further means that you shouldn't see them enter your network from the outside world -- but what does it mean when they do?

I've been seeing these in these cases:

dual-homed hosts (more than one network connection)
I often see two drop packets with the same timestamp, one from a normal IP address, and one from a private IP address. Checking out the TTLs and IP ID fields, I can figure out that they are from the same host. For example, when Windows uses NetBIOS to resolve an IP address, it will send out the request on all connections simultaneously. Since Windows is being used more and more as a "gateway" to the Internet, you should see more and more of this sort of thing happening.
traceroutes
Your own ISP assigns these addresses to its "internal" network -- such as its own routers. When you do a "traceroute", you'll see those routers respond with these addresses. When a router drops a packet and sends back a "ICMP TTL Exceeded" message, it will use the private address. Note that some routers are multi-homed with both private and non-private addresses. Other routers have only private addresses.
cable-modem, DSL
Most cable-modem and DSL connections are on virtual LANs over ATM. You will often see broadcast packets from your "neighbors" that are likewise on the same ATM "LAN".
hackers
Very rarely, you may see an address from a hackers who are spoofing addresses in this range.

3.5 What kind of scans should I expect to see from quasi-legitimate sources?

You will often see scans from somewhat legitimate sources. What I mean by this is that people will scan you without the intention of actually hacking you. For example, search engines will index your site, but it isn't an attack.
Doubleclick
Sends echos to people in order to redirect them to a nearer server for their advertising.
http://www.cyveillance.com/
Scans websites looking for illegal activities, such as copyrighted items.

3.6 I'm seeing source IP address of 0.0.0.0?

If the port is also 0, then this is probably an attempt to fingerprint your system.

3.7 What are directed broadcasts and what do they mean?

Directed broadcasts usually look like an IP address where the last number is 255. It means that the packet will be received by everybody on that subnet whose address ends in the numbers 1 through 254. If you have an IP address of something like 192.0.2.123, then you'll likely receive directed broadcasts sent to 192.0.2.255.

The most common reason you get these is because hackers are scanning your network for "smurf amplifiers". The "smurf" (and related "fraggle") takes advantage of the amplification effect when everyone on a subnet responds to a directed broadcast. The attacker spoofs a victim's IP source, and when your subnet receives that packet, all of you respond to the victim. This allows the attacker to send one packet outbound, but cause his victim to receive many packets inbound.

This may also just be normal scans and worms because they don't care about the difference between a directed broadcast and normal address.

Note that while directed broadcast addresses usually end in .255, this is not guaranteed. It depends upon how you've structured your subnet with your address mask.

3.8 I'm seeing strange addresses like 169.254.x.x?

From a draft document on auto-configuration of IP addresses when DHCP fails: 
    Once a DHCP Client has determined it must auto-configure an IP
    address, it chooses an address.  The algorithm for choosing an
    address is implementation dependant.  The address range to use MUST
    be "169.254/16", which is registered with the IANA as the LINKLOCAL
    net.

This only happens when the normal DHCP process fails.

This new technique was introduced with Microsoft Win98 and Apple MacOS 8.5.

Also see: http://www.unixreview.com/archives/articles/1999/july/9907dd.shtml

4. Stuff doesn't work

4.1 Installing a firewall causes slow connections to POP and SMTP services

This is because the POP and SMTP servers are trying to establish an identd/AUTH connection back to the client. These reverse-connections are blocked, and it takes a while before the servers timeout and continue.

The identd/AUTH service identifies the user of the TCP connection (user name, process id, etc.). When the e-mail server accepts the incoming TCP connection, before sending the greetings, it will first attempt