Strange port traffic

Here is a list of bandwidth by service over a one day period:

Rank             Service                              Sent/Received Data
1      Web (HTTP) (6,80)      800 MBytes
2      TCP Port 3341 (6,3341)      95 MBytes
3      HTTPS (6,443)      76 MBytes
4      Retrieve E-Mail (POP3) (6,110)      23 MBytes
5      TCP Port 2525 (6,2525)      11 MBytes
6      TCP Port 2214 (6,2214)      10 MBytes
7      TCP Port 3553 (6,3553)      10 MBytes
8      IP Type 47 (47,256)      10 MBytes
9      TCP Port 2961 (6,2961)      10 MBytes
10      TCP Port 2565 (6,2565)      10 MBytes
11      Send E-Mail (SMTP) (6,25)      5 MBytes
12      TCP Port 3285 (6,3285)      5 MBytes
13      TCP Port 3213 (6,3213)      5 MBytes
14      Name Service (DNS) (17,53)      4 MBytes
15      IP Type 47 (47,3044)      3 MBytes
16      TCP Port 2543 (6,2543)      3 MBytes
17      IP Type 47 (47,60901)      904 KBytes
18      TCP Port 3651 (6,3651)      854 KBytes
19      TCP Port 3357 (6,3357)      832 KBytes
20      TCP Port 4772 (6,4772)      824 KBytes
21      TCP Port 3793 (6,3793)      824 KBytes
22      TCP Port 2554 (6,2554)      824 KBytes
23      TCP Port 4996 (6,4996)      822 KBytes
24      TCP Port 4933 (6,4933)      822 KBytes
25      TCP Port 3541 (6,3541)      822 KBytes

I have the firewall set up with rules to allow the following services/ports:
HTTP            80
HTTPS            443      
POP3            110
SMTP      25
NS-SMTP      2525
DNS      (TCP and UDP) 53
PPTP      1723
Ping      0, 8
ICMP      7
FTP      20, 21
NetBios      UPD 137-139

And then a final rule blocking all other traffic in or out.  
So what is all this traffic in the 2,000-4,000 port range and why is it being allowed?
LVL 2
STS-TechAsked:
Who is Participating?
 
carlmdCommented:
Take a look at:

http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html

This may help you get some control of these ports.
0
 
Ernie BeekExpertCommented:
Return traffic for allowed outgoing ports?

Remember, everything above 1024 can be used as a port to establish a connection on after first negotiation.
0
 
STS-TechAuthor Commented:
Perhaps.  If so- how do I stop them?  I'd rather have a user come to me and say "my webwidget isn't working" than have unknown traffic.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
Ernie BeekExpertCommented:
Ehr, you can't?

Designated ports out to the internet are only to determine what kind of protocol is being used. So you connect to a webserver on port 80. The server then knows that you want to talk http. After that the server and client negotiate a port (>1024) to talk http over.....

So blocking that is like unplugging your internet.
0
 
STS-TechAuthor Commented:
Grrrr.  What you are saying makes perfect sense.  Time to install a packet analyzer I suppose.
0
 
STS-TechAuthor Commented:
According to this, from carlmd's article:

...had there been a restrictive firewall on the client machine, when the connection from the server to port 1930 on the client would have failed.  Note that the client program did not explicitly ask for port 1930 -- it just asked for an unused port number to use for this temporary data connection.

The ports should be blocked- as I want them to be.  Maybe I should make a rule allowing everything I don't want and forwarding it to an invalid address.
0
 
carlmdCommented:
You can certainly block the use of ephemeral ports with a firewall, but realize that you will most likely stop any and all web browsing, and many other applications as well. Most likely the traffic you reference is coming from web use, and if you want to stop that, just block outgoing http and https traffic. This would permit other programs using ephemeral ports to continue working.

Traffic on these ports is just a normal cost of using the internet, and you should not be overly concerned that they are being used. Remeber, they are only used for return traffic in response to something that was initiated on your network.

A good firewall will detect and prevent port scanning and other attacks via these ports.
0
 
STS-TechAuthor Commented:
I will reluctantly agree with that.  We had a recent rash of streaming at this site so I wanted to be sure that someone wasn't trying to find another way, but based on what I've read I'll put my paranoina aside for now.

Thanks to you both.
0
 
STS-TechAuthor Commented:
Not what I wanted to hear- but the right answer, nonetheless.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.