Go Premium for a chance to win a PS4. Enter to Win


Outbound traffic on unknown ports to private IP addresses

Posted on 2003-11-17
Medium Priority
Last Modified: 2008-03-03

I am noticing some strange activity on my firewall. There is outbound UDP traffic from two servers (both running Win2K Server & 1 running SQL 2000 & the other Exchange 2000). It is outbound from these servers to private addresses that so not exist on my internal network. The destination IP's are and The ports being used are mainly 1055, 1057 & 1058 but I have noticed 1518, 1520 & 1521 as well. Has anyone seen this before? I've checked virus/event and IIS logs and don't see anything unusual and everything is operating normally. Any suggestions as to what might be causing this would be appreciated.

Question by:Dawn_Bl
LVL 19

Accepted Solution

Dexstar earned 1000 total points
ID: 9767184

> Any suggestions as to what might be causing this would be appreciated.

I would install "Network Monitor" that comes with W2K server on either or both of those machines and sniff the network traffic to see what the contents of these packets.

Here is information on how to set it up and use it:

Hope That Helps,

Expert Comment

ID: 9767516
Sometimes this sort of thing can happen if you have an overlap in DNS between your windows network and your ISP's network.  I had a heck of a time when I named one of my computers WIN98.  Turns out my ISP had one named the same thing, *and* they had put an entry in on their DNS server.  If my computer was turned on, things were fine, but if it wasn't (thus the broadcast for it would fail), my machine would find the DNS entry for WIN98 on my ISP's internal network and try to talk to it!  

Although I admit there are fairly short odds on it being the same thing, the symptoms would have been similar.  Since the ports you are report are above 1023, they may be the transitory ports used when first establishing a connection.  If you do have a similar situation, it could be that those devices used to talk to someone who used the same name as the device at those ip addresses.

A way longshot, but you did ask if we'd seen something similar...  :)

Either way, I'd still hook up the network monitor and take a look.  Also, try a netstat on the source boxes.  That should turn up some more information.

Good luck!

Expert Comment

ID: 9767564
Do you have citrix or vpn clients? This can be the address they are using? It can also be spoofing... also the welchia virus creates tons of tcp exhaustion ... although you should run the welchia patch to make sure it is not on your syste,...
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

LVL 18

Expert Comment

ID: 9767913
While there's some activity on these ports in the wild, there's not much and don't correspond to any known vulnerabilities.


You don't say what the source ports are... might be backscatter?
I'd get a sniff on those switchports to see what they're up to.

LVL 35

Expert Comment

ID: 9768710
One thing to be very conscious of is that many of today's worms and virii will as first order of business disable local virus scans, so they don't get on any logs.

If you haven't kept absolutely current with your service packs and security hotfixes, and disabled all unnecessary services, you may have a worm or backdoor trojan that your antivirus isn't scanning and therefore not logging.  

If I were in your shoes, I would first run a web-based virus scan, like the one at http://housecall.trendmicro.com/ and follow that with a spyware/adware scan that also picks up trojans that virus scans bypass, like SpySweeper from www.webroot.com, if for no other reason than to ease my mind.  Also go visit www.blackviper.com to help you determine what services you can and should disable - not only will you be more secure, you will likely see an improvement in performance and stability.

If all of that comes up clean, and you have a reasonable comfort level of the security of your systems, but this traffic continues - I would then look at whether or not someone in your network is doing something along the lines of running a peer-to-peer file sharing program.  The reason I mention that is that you made note of 2 sets of 3 UDP ports.  Many file sharing programs not only use multiple UDP ports but also allow you to modify the UDP listeners to bypass things like packet filters.

Author Comment

ID: 9770634
Thanks for all of the suggestions. I will try running a sniffer to get more details and report back.
LVL 35

Expert Comment

ID: 9771035
A good free one can be found at www.ethereal.com

Author Comment

ID: 9772992
Thank you for all of your help. I installed Network Monitor (and fought with it for awhile) and realized the traffic is coming from a laptop that is not part of our domain but is used for some remote administration purposes. It had some additional IP addresses on it from a few VMWare instances. I was only seeing the outbound because there was no route to the addresses not on our network. The remote admin app was trying to respond on all IPs.

Thanks again... Dawn

Expert Comment

ID: 9773391
One thing I did at my work is to put an ACL on our internet Router and blocked all outbound Private address ranges. Theoretically they shouldn't be routed anyway, but since we syslog, our syslog will be notified if it happens.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question