Outbound traffic on unknown ports to private IP addresses

Posted on 2003-11-17
Last Modified: 2008-03-03

I am noticing some strange activity on my firewall. There is outbound UDP traffic from two servers (both running Win2K Server & 1 running SQL 2000 & the other Exchange 2000). It is outbound from these servers to private addresses that so not exist on my internal network. The destination IP's are and The ports being used are mainly 1055, 1057 & 1058 but I have noticed 1518, 1520 & 1521 as well. Has anyone seen this before? I've checked virus/event and IIS logs and don't see anything unusual and everything is operating normally. Any suggestions as to what might be causing this would be appreciated.

Question by:Dawn_Bl
LVL 19

Accepted Solution

Dexstar earned 250 total points
ID: 9767184

> Any suggestions as to what might be causing this would be appreciated.

I would install "Network Monitor" that comes with W2K server on either or both of those machines and sniff the network traffic to see what the contents of these packets.

Here is information on how to set it up and use it:

Hope That Helps,

Expert Comment

ID: 9767516
Sometimes this sort of thing can happen if you have an overlap in DNS between your windows network and your ISP's network.  I had a heck of a time when I named one of my computers WIN98.  Turns out my ISP had one named the same thing, *and* they had put an entry in on their DNS server.  If my computer was turned on, things were fine, but if it wasn't (thus the broadcast for it would fail), my machine would find the DNS entry for WIN98 on my ISP's internal network and try to talk to it!  

Although I admit there are fairly short odds on it being the same thing, the symptoms would have been similar.  Since the ports you are report are above 1023, they may be the transitory ports used when first establishing a connection.  If you do have a similar situation, it could be that those devices used to talk to someone who used the same name as the device at those ip addresses.

A way longshot, but you did ask if we'd seen something similar...  :)

Either way, I'd still hook up the network monitor and take a look.  Also, try a netstat on the source boxes.  That should turn up some more information.

Good luck!

Expert Comment

ID: 9767564
Do you have citrix or vpn clients? This can be the address they are using? It can also be spoofing... also the welchia virus creates tons of tcp exhaustion ... although you should run the welchia patch to make sure it is not on your syste,...
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

LVL 18

Expert Comment

ID: 9767913
While there's some activity on these ports in the wild, there's not much and don't correspond to any known vulnerabilities.

You don't say what the source ports are... might be backscatter?
I'd get a sniff on those switchports to see what they're up to.

LVL 35

Expert Comment

ID: 9768710
One thing to be very conscious of is that many of today's worms and virii will as first order of business disable local virus scans, so they don't get on any logs.

If you haven't kept absolutely current with your service packs and security hotfixes, and disabled all unnecessary services, you may have a worm or backdoor trojan that your antivirus isn't scanning and therefore not logging.  

If I were in your shoes, I would first run a web-based virus scan, like the one at and follow that with a spyware/adware scan that also picks up trojans that virus scans bypass, like SpySweeper from, if for no other reason than to ease my mind.  Also go visit to help you determine what services you can and should disable - not only will you be more secure, you will likely see an improvement in performance and stability.

If all of that comes up clean, and you have a reasonable comfort level of the security of your systems, but this traffic continues - I would then look at whether or not someone in your network is doing something along the lines of running a peer-to-peer file sharing program.  The reason I mention that is that you made note of 2 sets of 3 UDP ports.  Many file sharing programs not only use multiple UDP ports but also allow you to modify the UDP listeners to bypass things like packet filters.

Author Comment

ID: 9770634
Thanks for all of the suggestions. I will try running a sniffer to get more details and report back.
LVL 35

Expert Comment

ID: 9771035
A good free one can be found at

Author Comment

ID: 9772992
Thank you for all of your help. I installed Network Monitor (and fought with it for awhile) and realized the traffic is coming from a laptop that is not part of our domain but is used for some remote administration purposes. It had some additional IP addresses on it from a few VMWare instances. I was only seeing the outbound because there was no route to the addresses not on our network. The remote admin app was trying to respond on all IPs.

Thanks again... Dawn

Expert Comment

ID: 9773391
One thing I did at my work is to put an ACL on our internet Router and blocked all outbound Private address ranges. Theoretically they shouldn't be routed anyway, but since we syslog, our syslog will be notified if it happens.

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
analyzing possible malicious link 8 24
BGP recommended setup with failover 2 49
DNS zone 3 28
can't ssh to external IP 9 26
Resolve DNS query failed errors for Exchange
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question