Outbound traffic on unknown ports to private IP addresses

Posted on 2003-11-17
Last Modified: 2008-03-03

I am noticing some strange activity on my firewall. There is outbound UDP traffic from two servers (both running Win2K Server & 1 running SQL 2000 & the other Exchange 2000). It is outbound from these servers to private addresses that so not exist on my internal network. The destination IP's are and The ports being used are mainly 1055, 1057 & 1058 but I have noticed 1518, 1520 & 1521 as well. Has anyone seen this before? I've checked virus/event and IIS logs and don't see anything unusual and everything is operating normally. Any suggestions as to what might be causing this would be appreciated.

Question by:Dawn_Bl
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 19

Accepted Solution

Dexstar earned 250 total points
ID: 9767184

> Any suggestions as to what might be causing this would be appreciated.

I would install "Network Monitor" that comes with W2K server on either or both of those machines and sniff the network traffic to see what the contents of these packets.

Here is information on how to set it up and use it:

Hope That Helps,

Expert Comment

ID: 9767516
Sometimes this sort of thing can happen if you have an overlap in DNS between your windows network and your ISP's network.  I had a heck of a time when I named one of my computers WIN98.  Turns out my ISP had one named the same thing, *and* they had put an entry in on their DNS server.  If my computer was turned on, things were fine, but if it wasn't (thus the broadcast for it would fail), my machine would find the DNS entry for WIN98 on my ISP's internal network and try to talk to it!  

Although I admit there are fairly short odds on it being the same thing, the symptoms would have been similar.  Since the ports you are report are above 1023, they may be the transitory ports used when first establishing a connection.  If you do have a similar situation, it could be that those devices used to talk to someone who used the same name as the device at those ip addresses.

A way longshot, but you did ask if we'd seen something similar...  :)

Either way, I'd still hook up the network monitor and take a look.  Also, try a netstat on the source boxes.  That should turn up some more information.

Good luck!

Expert Comment

ID: 9767564
Do you have citrix or vpn clients? This can be the address they are using? It can also be spoofing... also the welchia virus creates tons of tcp exhaustion ... although you should run the welchia patch to make sure it is not on your syste,...
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

LVL 18

Expert Comment

ID: 9767913
While there's some activity on these ports in the wild, there's not much and don't correspond to any known vulnerabilities.

You don't say what the source ports are... might be backscatter?
I'd get a sniff on those switchports to see what they're up to.

LVL 35

Expert Comment

ID: 9768710
One thing to be very conscious of is that many of today's worms and virii will as first order of business disable local virus scans, so they don't get on any logs.

If you haven't kept absolutely current with your service packs and security hotfixes, and disabled all unnecessary services, you may have a worm or backdoor trojan that your antivirus isn't scanning and therefore not logging.  

If I were in your shoes, I would first run a web-based virus scan, like the one at and follow that with a spyware/adware scan that also picks up trojans that virus scans bypass, like SpySweeper from, if for no other reason than to ease my mind.  Also go visit to help you determine what services you can and should disable - not only will you be more secure, you will likely see an improvement in performance and stability.

If all of that comes up clean, and you have a reasonable comfort level of the security of your systems, but this traffic continues - I would then look at whether or not someone in your network is doing something along the lines of running a peer-to-peer file sharing program.  The reason I mention that is that you made note of 2 sets of 3 UDP ports.  Many file sharing programs not only use multiple UDP ports but also allow you to modify the UDP listeners to bypass things like packet filters.

Author Comment

ID: 9770634
Thanks for all of the suggestions. I will try running a sniffer to get more details and report back.
LVL 35

Expert Comment

ID: 9771035
A good free one can be found at

Author Comment

ID: 9772992
Thank you for all of your help. I installed Network Monitor (and fought with it for awhile) and realized the traffic is coming from a laptop that is not part of our domain but is used for some remote administration purposes. It had some additional IP addresses on it from a few VMWare instances. I was only seeing the outbound because there was no route to the addresses not on our network. The remote admin app was trying to respond on all IPs.

Thanks again... Dawn

Expert Comment

ID: 9773391
One thing I did at my work is to put an ACL on our internet Router and blocked all outbound Private address ranges. Theoretically they shouldn't be routed anyway, but since we syslog, our syslog will be notified if it happens.

Featured Post

WordPress Tutorial 1: Installation & Setup

WordPress is a very popular option for running your web site and can be used to get your content online quickly for the world to see. This guide will walk you through installing the WordPress server software and the initial setup process.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month5 days, 3 hours left to enroll

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question