Re: tcp 17888

[Harlan Carvey <keydet89 () yahoo com>]

David

Comment inline...

> While monitoring my firewall I noticed a lot of
> incoming tcp packets to
> port 17888. All were dropped, so there has been no
> damage or intrusion.
> I fired up tcpdump and let it catch all the packets
> for 2 hours and
> using ethereal I found 11105 packets from approx. 30
> different sources.
> All packets had the SYN flag and most of the time
> there were 3 packets
> from the same source port. Many of the source ip's
> had attempts from
> numerous different ports. Google returned
> information on "netlet" when
> queried for "tcp 17888". I am not familiar with
> netlet, it seems to me to be some type of rpc.

Interesting approach.  "I don't know what netlet is,
so this traffic must be rpc."  

What makes you say this?  You have only the SYN flag
in the packets to go on.  Did you find information
someplace else that you're not sharing that could
explain this?
 
> Since it seems to be rpc my guess is someone looking
> for another machine to own. 

Sometimes this is a good assumption for any probe. 
However, it seems as if you're making an assumption
without a great deal of support...again, why rpc?




---------------------------------------------------------------------------
----------------------------------------------------------------------------