Jump to content

Strange hits in firewall after 1.2.2


Recommended Posts


I have a WinXP machine nated via a Linux server.

I have port-forwarding and is working ok.

After upgraded to 1.2.2 I noted strange hits in my firewall.

I see for example many hits to a specific port from different hosts.

I wonder if utorrent is publishing me with random ports?

I use a fixed port so I can port-forward the traffic to my machine.

So, how do I check if utorrent is really using a fixed port and not

a random port? I already configured correctly utorrent.

Example ports:

55338 (2000 hits in a 3 hour period)



Link to comment
Share on other sites

Incoming connections use the one port you used.

Outgoing connections use random ports selected by the operating system.

This applies for TCP AND UDP.


If you're getting incoming connections on another port, then it's probably anti-P2P trying to get to you. :P That, or random port probes. Since it's UDP, it's more likely to be the former. There isn't really much you can do about it.

Link to comment
Share on other sites

I'm prone to think that there are some bugged DHT-enabled BitTorrent clients out there. It would be most interesting to log outgoing DHT UDP-packets (or actaully, the IP and source-port) and check those against firewall logs. Either they respond too late to UDP-packets or share your (random) port-number with others. From looking at my own logs, it seem some BT-clients really do odd things when it comes to DHT. As I said in an other thread, days after using DHT, clients keep trying to connect to me or send me DHT-traffic.

It could also be a local problem, where your firewall does not track UDP-packets (long enough).

Anti-p2p could also be the problem, though, aren't they smarter? Why not use the incoming port? Or are they trying to DoS modems and routers?

Link to comment
Share on other sites

Here are some stats:

pkts bytes target prot opt in out source destination

9 770 REJECT udp -- * * udp dpt:50469 reject-with icmp-port-unreachable

5790 611K REJECT udp -- * * udp dpt:57982 reject-with icmp-port-unreachable

8022 893K REJECT udp -- * * udp dpt:55338 reject-with icmp-port-unreachable

18914 1836K DROP udp -- * * udp dpt:50469

Check port 50469, it has 18914 hits!

Link to comment
Share on other sites

Too bad no IP's are logged. Something funny: port 50469 has both a few Rejects as wel as many Dropped packets. I'm not sure exactly why the firewall sometimes rejects packets and other times drops, expecially not if it is sending out ICMP port-unreachable's.

Can you put a time-frame on these stats? The number of hits is not really unusual. If I connect to DHT, I will be getting hits days after at a rate of roughly 1800 per hour. And that is only to my BT-port. Never looked into random ports as you did. I wouldn't be surprised to find something in the neighbourhood of 100.000+ dropped/rejected packets all together.

Link to comment
Share on other sites

Hi Klaus,

I have more stats, but this time using port 65535

# grep ' DPT=65535 ' /var/log/messages|cut -d ' ' -f 10|sort | uniq|wc -l

70 IPs offending

# grep ' DPT=65535 ' /var/log/messages|wc -l

85313 hits

# grep ' DPT=65535 ' /var/log/messages.1|head -n1

Dec 8 09:50:42 start

# grep ' DPT=65535 ' /var/log/messages.1|tail -n1

Dec 8 14:27:30 end

After "Dec 8 14:27:30" I stoped loging those packets, now I just DROP them

Look how they are now:

packets bytes port

109K 6537K 65535


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...