>Date: Thu, 02 Mar 2000 01:38:02 -0600 >From: Kelly Hair <[EMAIL PROTECTED]> >Subject: TCP port 3 >Picked up someone trying to connect to TCP port 3 from TCP port 3 on my >border. I cannot find any information about this port (not in the >services file and searches are not returning anything for me.) Does >anyone have an idea what this port would be used for? TCP Port 3 & UDP port 3 were assigned as a pair for a compression scheme that Bernie Volz had years ago. I believe that he was going to use a TCP connection to establish compression parameters, and then compress IP or perhaps TCP/UDP (the details are very fuzzy) inside of the UDP on port 3. This is certainly not what is going on in your case. You may be able to find a pointer in the Assigned Numbers RFC (1700 this week). It is either much more likely that you have a broken log of some sort (i.e., not really port 3), a broken script kiddie (i.e., they were thinking of UDP port 7 but mistyped it as TCP port 3), broken software (i.e., was hoping for port 25 but subtracted the 2 from the 5 instead), or someone sniffing for a back door they were hoping to find. One thing is clear, though: a decent number of firewalls are misconfigured to allow inbound attacks to be launched from "outgoing" ports (such as 80, or even sometimes anything less than 1025, 1024, or 1023, depending on the designer), so I would expect to see slow port scans coming from low numbered ports, especially 80/25/23/21, as folks begin to catch on. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) [EMAIL PROTECTED] http://www.opus1.com/jms Opus One - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
