Monday, September 22, 2008

tcp/32709 solved?

About a week ago, I put up a quick post asking if anyone knew what kind of traffic is directed at tcp/32709. Since there did not seem to be much known about this port, I did some snooping around myself. I fired up a simple netcat port listener on port 32709 and waited for incoming connections:

$ nc -vvlp 32709 |tee 32709.log
listening on [any] 32709 ...
Warning: forward host lookup failed for hn.kd.dhcp:Unknown host
connect to [72.249.83.37] from hn.kd.dhcp [61.53.152.179] 1976
�@u)�o�=5��[CHN][VeryCD]yourname<�B4���ff��Y�T�
sent 0, rcvd 106 : Connection reset by peer

While mostly binary, there are some clues in here. Specifically [CHN] and [VeryCD]. Given the fact that all the scans that I detected originated from Chinese IP ranges, I suspect that [CHN] stands for "Chinese". Not sure if it is Chinese encoding, Chinese language, or something else.



The second hint is [VeryCD]. A quick Google for VeryCD turns up
that this is an "eMule based Chinese P2P media directory". Some more
Googling reveals that VeryCD clients are insanely aggressive in probing
for new file-sharing servers. I suspect that this is exactly the
behavior that hit my machine.

For now, I'll keep the following
networks blocked; it took away just about any and all portscanning that
was hitting me (that is; that I detected ;)

59.62.0.0/15
60.0.0.0/8
116.252.0.0/15
121.0.0.0/8
122.0.0.0/8
123.0.0.0/8
125.64.0.0/13
125.65.112.0/24
218.0.0.0/8
221.0.0.0/8
222.0.0.0/8

And
yes, that does represent an aweful lot of hosts that can longer read my
blog. I'll live with that; there are plenty legitmate sources as well
as illegitimate sources that carry my content.

For the time being: case closed.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.