Single incoming port is over 50% of the blocked traffic



  • I recently started using an ELK stack to monitor my pfsense firewall. Today I was looking at the dashboard and noticed the incoming blocks over time graph. One port (TCP 30303) makes up over 60% of all the blocked ports. Curious, I immediately did a search on this port and found that is is associated with an old (1990's) trojan virus. "That's good" I thought to myself. "I am glad that my firewall is blocking that." Even more curious I searched on this trojan called "Sockets de Troie" and all I can find on it dates way back to 2005 and older. While I am glad that my firewall is blocking this, I am really curious as to why this port makes up over half of the blocks on my firewall. I am asking the community here if anyone has seen this port blocked on their firewall and if it makes up a large percentage of the blocks?

    Thanks,
    Andy



  • What IP is being blocked?  Could it be a coincidence that it may be something else using the same port?



  • Stewart,

    There are multiple IP address ranging from the US, CZ, NL, etc.  See below screenshots.







  • Rebel Alliance Global Moderator

    Not seeing any hits on that port from anywhere.

    Sure that just not a port you "were" using for p2p or something.  Did your IP recently change?  Could of gotten an IP in an old swarm there was the port they were using.

    What time frame is that over?  Its not a large number of hits, unless your talking only a few seconds?  I have 239 some hits on just 23 (telnet) in the last 7 hours..

    Its easy to get curious about these odd ball ports, there might be something out on 30303 kind of like the previous modem thing on port 7547

    You sure its TCP and not a mix.. you have a lot of high port listed that seem a bit strange.. Are they blocked as SYN, or is it out of state traffic?  I change my log to only log tcp that are syn hits.. vs logging the odd udp port and out of state packets that just clutter up the log..



  • @Johnpoz

    I don't do any P2P on my network so I dont think it is that. They only other thing I found about the port is it is apparently used by an app called Etherum that appears to be somewhat like Bitcoin: https://www.ethereum.org/

    I also don't think my WAN IP has changed in a while the timeframe for those hits was about 2 weeks.

    EDIT: Also I did a drill down into the protocols and port 30303 is a mix of TCP and UDP:



  • Rebel Alliance Global Moderator

    you sure some of those are not out of state hits?  The udp is all just noise.. I really see no pint in logging it to be honest..

    If those are SYN hits, then yes its directed traffic.  If its out of state its possible it just left over packets from after you closed a session, etc… your 23, 22, 1433 are real common you will see lots of those.  Bots searching the net for open shit hey can try and exploit.  The high ports could be just junk.

    It is curious that your seeing a few ports make up large % of it though.. I checked my logs I have not seen any hits to 30303 tcp at all..

    Again what is the time frame in these graphs, last 24 hours?  Last hour? etc..  If your curious do a packet capture on your wan on that port and might give you some insight to what it is.  For sure will tell you if syn or just out of state ack.  If ack, take a look at your state table do you see any traffic going somewhere with that 30303 as source port?


  • Banned

    I'm using pfmonitor and did a search for 30303.

    Nothing on my firewall, but it's #108 on the global list (94 firewalls as of this posting) at 13732 total hits coming from 579 unique IP's.

    Historicals show a massive spike in hits on 18 May, with hardly any prior to that (firewall(s) being hit on this port may have been added on that day?)

    Here's the list of source IP's coming up on pfmonitor top 250.

    
    Source IP:                 Most Recent Hit Date/Time:	Attack Hit Count:
    46.238.139.199	 	 	05-18-2017 20:36:49	549
    86.18.189.216	 	 	05-18-2017 16:56:27	384
    85.150.127.156	 	 	05-18-2017 12:03:21	345
    62.12.24.76	 	 	05-19-2017 03:09:23	312
    91.40.202.170	 	 	05-19-2017 01:47:23	276
    72.224.253.46	 	 	05-18-2017 18:07:46	265
    105.212.54.158	 	 	05-19-2017 15:21:20	259
    178.238.233.123	 	 	05-21-2017 23:58:49	255
    142.58.181.70	 	 	05-22-2017 07:59:56	193
    84.215.11.115	 	 	05-20-2017 04:33:17	184
    148.251.191.101	 	 	05-21-2017 04:32:08	164
    137.101.116.132	 	 	05-21-2017 16:38:44	138
    176.21.123.95	 	 	05-22-2017 12:25:46	136
    104.219.251.104	 	 	05-22-2017 13:31:48	106
    188.138.1.237	 	 	05-19-2017 03:11:28	100
    138.197.210.35	 	 	05-18-2017 18:39:31	100
    216.162.77.54	 	 	05-19-2017 02:19:02	96
    69.110.136.53	 	 	05-21-2017 00:28:12	92
    132.67.114.248	 	 	05-19-2017 02:14:40	90
    104.196.185.70	 	 	05-22-2017 00:00:47	86
    147.30.171.14	 	 	05-19-2017 00:16:33	85
    188.2.163.78	 	 	05-18-2017 15:53:39	83
    89.76.252.94	 	 	05-19-2017 01:22:13	80
    98.212.81.225	 	 	05-18-2017 20:36:17	75
    174.6.150.210	 	 	05-19-2017 12:16:49	71
    34.202.6.206	 	 	05-18-2017 11:18:29	63
    83.163.134.101	 	 	05-18-2017 14:10:34	62
    62.109.14.140	 	 	05-19-2017 00:09:35	58
    182.142.145.44	 	 	05-19-2017 22:10:19	56
    66.147.230.39	 	 	05-19-2017 00:45:32	56
    124.62.23.142	 	 	05-18-2017 18:48:00	56
    195.211.136.9	 	 	05-20-2017 00:54:29	53
    138.197.138.202	 	 	05-19-2017 00:30:12	53
    46.48.61.124	 	 	05-18-2017 22:17:05	52
    46.101.204.158	 	 	05-18-2017 19:30:44	52
    185.61.38.40	 	 	05-21-2017 01:20:36	51
    139.162.120.161	 	 	05-19-2017 02:50:36	51
    168.181.187.15	 	 	05-22-2017 10:59:13	50
    81.169.228.109	 	 	05-19-2017 02:02:03	49
    97.113.232.235	 	 	05-19-2017 07:56:03	48
    1.226.84.230	 	 	05-19-2017 04:19:44	48
    178.236.134.19	 	 	05-22-2017 12:06:17	47
    83.81.146.16	 	 	05-18-2017 18:02:01	46
    108.36.116.9	 	 	05-19-2017 02:17:45	45
    47.90.36.129	 	 	05-19-2017 02:27:20	44
    5.22.157.49	 	 	05-19-2017 01:34:29	44
    47.201.37.192	 	 	05-18-2017 18:21:32	44
    198.23.230.254	 	 	05-19-2017 05:29:44	42
    45.55.38.145	 	 	05-18-2017 19:39:06	41
    5.255.90.216	 	 	05-19-2017 02:55:16	40
    52.3.44.101	 	 	05-19-2017 02:52:40	40
    70.122.214.59	 	 	05-19-2017 02:46:34	40
    93.190.142.88	 	 	05-19-2017 01:52:39	40
    47.89.55.68	 	 	05-19-2017 01:46:35	40
    88.99.214.58	 	 	05-19-2017 01:41:06	40
    204.14.245.175	 	 	05-19-2017 00:13:08	40
    88.99.65.139	 	 	05-18-2017 22:59:38	40
    35.163.247.198	 	 	05-18-2017 19:30:40	40
    77.173.25.90	 	 	05-18-2017 18:59:45	40
    163.172.4.66	 	 	05-18-2017 18:11:10	40
    45.55.21.224	 	 	05-19-2017 02:48:29	38
    24.35.73.25	 	 	05-19-2017 03:30:33	36
    163.172.77.155	 	 	05-19-2017 02:41:05	36
    52.205.143.107	 	 	05-19-2017 02:02:29	36
    188.166.164.132	 	 	05-19-2017 01:28:43	36
    139.224.209.162	 	 	05-19-2017 01:03:44	36
    192.241.159.215	 	 	05-19-2017 00:55:01	36
    83.143.36.227	 	 	05-18-2017 22:59:26	36
    51.255.168.98	 	 	05-19-2017 00:14:30	35
    85.143.206.232	 	 	05-19-2017 03:44:06	33
    221.222.125.181	 	 	05-18-2017 19:46:43	33
    176.10.137.87	 	 	05-18-2017 19:24:14	33
    45.63.76.145	 	 	05-19-2017 03:15:53	32
    81.7.16.17	 	 	05-19-2017 02:33:48	32
    45.122.221.11	 	 	05-19-2017 02:26:19	32
    163.172.162.229	 	 	05-19-2017 02:24:53	32
    13.124.50.140	 	 	05-19-2017 02:07:42	32
    139.162.15.124	 	 	05-19-2017 01:46:39	32
    46.166.165.130	 	 	05-19-2017 01:24:18	32
    207.154.222.65	 	 	05-19-2017 01:22:15	32
    115.159.50.247	 	 	05-18-2017 23:52:39	32
    71.90.103.184	 	 	05-18-2017 23:49:07	32
    139.59.109.100	 	 	05-18-2017 23:45:09	32
    87.81.185.130	 	 	05-18-2017 22:31:21	32
    24.228.2.129	 	 	05-18-2017 19:58:05	32
    52.230.20.20	 	 	05-18-2017 19:21:59	32
    2.217.219.175	 	 	05-18-2017 19:09:13	32
    67.166.72.238	 	 	05-18-2017 18:52:13	32
    52.196.42.124	 	 	05-18-2017 16:56:27	32
    35.2.92.74	 	 	05-18-2017 13:55:28	32
    213.140.215.229	 	 	05-18-2017 13:46:56	32
    185.82.202.93	 	 	05-19-2017 10:52:04	31
    213.168.13.151	 	 	05-21-2017 03:13:33	28
    45.79.102.191	 	 	05-19-2017 03:31:00	28
    52.174.38.143	 	 	05-19-2017 03:02:34	28
    178.62.243.73	 	 	05-19-2017 03:01:06	28
    52.26.6.169	 	 	05-19-2017 02:52:35	28
    67.205.160.17	 	 	05-19-2017 02:52:27	28
    45.32.249.174	 	 	05-19-2017 02:41:28	28
    52.204.104.0	 	 	05-19-2017 02:36:41	28
    87.224.39.215	 	 	05-19-2017 01:12:59	28
    161.202.155.78	 	 	05-19-2017 01:00:33	28
    69.164.196.239	 	 	05-19-2017 00:54:00	28
    138.68.48.135	 	 	05-19-2017 00:34:04	28
    149.56.108.121	 	 	05-19-2017 00:23:30	28
    88.99.28.153	 	 	05-19-2017 00:14:49	28
    37.187.76.123	 	 	05-19-2017 00:02:37	28
    13.112.27.85	 	 	05-18-2017 23:35:27	28
    52.63.107.125	 	 	05-18-2017 20:03:53	28
    45.79.66.200	 	 	05-18-2017 19:32:05	28
    95.211.121.134	 	 	05-18-2017 19:20:18	28
    207.154.207.95	 	 	05-18-2017 19:18:13	28
    24.6.158.242	 	 	05-18-2017 19:07:07	28
    104.233.106.135	 	 	05-18-2017 19:02:00	28
    62.210.252.134	 	 	05-18-2017 18:21:47	28
    85.134.20.76	 	 	05-18-2017 17:17:40	28
    73.189.92.164	 	 	05-18-2017 16:51:27	28
    54.235.230.233	 	 	05-18-2017 14:16:27	28
    176.248.180.171	 	 	05-18-2017 13:03:28	28
    85.93.51.195	 	 	05-19-2017 05:33:31	27
    68.60.181.146	 	 	05-19-2017 03:10:36	27
    178.113.148.30	 	 	05-19-2017 02:51:21	27
    173.174.124.200	 	 	05-19-2017 02:13:11	27
    50.149.187.89	 	 	05-18-2017 22:39:09	27
    73.206.212.211	 	 	05-18-2017 21:44:07	27
    117.206.38.108	 	 	05-18-2017 16:45:02	27
    183.232.29.118	 	 	05-19-2017 01:38:58	26
    72.52.84.226	 	 	05-19-2017 02:36:13	25
    222.209.83.73	 	 	05-19-2017 04:48:45	24
    104.154.221.18	 	 	05-19-2017 03:10:03	24
    216.173.137.105	 	 	05-19-2017 02:59:52	24
    116.58.170.57	 	 	05-19-2017 02:47:10	24
    18.248.6.175	 	 	05-19-2017 02:44:36	24
    163.172.38.127	 	 	05-19-2017 02:42:18	24
    188.165.227.180	 	 	05-19-2017 02:41:21	24
    136.61.101.30	 	 	05-19-2017 02:35:03	24
    87.118.126.124	 	 	05-19-2017 02:33:59	24
    88.99.199.93	 	 	05-19-2017 02:32:02	24
    45.63.65.79	 	 	05-19-2017 02:20:01	24
    59.127.85.237	 	 	05-19-2017 02:11:39	24
    88.99.92.72	 	 	05-19-2017 02:07:16	24
    139.59.224.226	 	 	05-19-2017 01:56:03	24
    104.130.204.101	 	 	05-19-2017 01:46:26	24
    139.162.141.175	 	 	05-19-2017 01:45:37	24
    115.236.175.122	 	 	05-19-2017 01:28:01	24
    95.168.58.97	 	 	05-19-2017 01:23:35	24
    103.36.84.10	 	 	05-19-2017 01:07:55	24
    47.52.36.26	 	 	05-19-2017 00:57:17	24
    80.192.139.207	 	 	05-19-2017 00:54:04	24
    45.76.112.217	 	 	05-19-2017 00:53:07	24
    45.76.148.228	 	 	05-19-2017 00:44:00	24
    95.211.237.86	 	 	05-19-2017 00:07:27	24
    172.104.52.80	 	 	05-18-2017 23:06:57	24
    142.4.209.40	 	 	05-18-2017 21:34:30	24
    126.91.14.95	 	 	05-18-2017 19:39:05	24
    45.32.117.58	 	 	05-18-2017 19:35:51	24
    5.12.231.162	 	 	05-18-2017 19:31:38	24
    71.217.90.51	 	 	05-18-2017 19:02:08	24
    47.52.39.172	 	 	05-18-2017 19:00:33	24
    46.162.1.42	 	 	05-18-2017 18:48:09	24
    5.35.28.10	 	 	05-18-2017 18:41:26	24
    35.186.191.245	 	 	05-18-2017 18:28:36	24
    137.74.3.152	 	 	05-18-2017 18:01:57	24
    91.246.100.121	 	 	05-18-2017 17:32:19	24
    194.87.1.232	 	 	05-18-2017 17:21:05	24
    80.241.221.232	 	 	05-18-2017 17:15:57	24
    149.202.184.138	 	 	05-18-2017 17:07:02	24
    54.173.156.228	 	 	05-18-2017 17:02:37	24
    176.26.234.85	 	 	05-18-2017 16:14:40	24
    73.158.38.34	 	 	05-18-2017 15:57:38	24
    76.210.228.194	 	 	05-18-2017 14:13:18	24
    72.182.13.35	 	 	05-18-2017 14:12:01	24
    217.122.47.17	 	 	05-18-2017 14:10:05	24
    45.23.63.8	 	 	05-18-2017 12:16:05	24
    80.111.172.215	 	 	05-19-2017 03:03:38	22
    114.35.73.248	 	 	05-18-2017 19:12:01	22
    93.72.182.90	 	 	05-19-2017 02:14:40	21
    68.5.111.70	 	 	05-19-2017 01:48:01	21
    195.251.124.158	 	 	05-19-2017 00:13:36	21
    77.79.180.103	 	 	05-18-2017 23:57:40	21
    128.125.87.203	 	 	05-18-2017 19:13:39	21
    203.87.64.83	 	 	05-18-2017 18:34:56	21
    107.191.104.97	 	 	05-19-2017 03:29:21	20
    66.114.42.98	 	 	05-19-2017 03:22:22	20
    188.24.72.21	 	 	05-19-2017 03:20:22	20
    46.101.204.71	 	 	05-19-2017 03:14:22	20
    176.9.19.237	 	 	05-19-2017 03:13:59	20
    50.225.47.153	 	 	05-19-2017 03:13:48	20
    162.243.164.156	 	 	05-19-2017 03:10:45	20
    52.161.18.228	 	 	05-19-2017 03:09:44	20
    151.80.96.51	 	 	05-19-2017 03:09:31	20
    192.99.5.85	 	 	05-19-2017 02:58:44	20
    46.138.149.57	 	 	05-19-2017 02:50:43	20
    130.240.22.202	 	 	05-19-2017 02:50:02	20
    138.68.145.175	 	 	05-19-2017 02:45:46	20
    173.192.160.222	 	 	05-19-2017 02:43:04	20
    78.56.33.225	 	 	05-19-2017 02:17:53	20
    88.99.192.164	 	 	05-19-2017 02:10:34	20
    13.66.57.162	 	 	05-19-2017 02:00:45	20
    51.15.135.237	 	 	05-19-2017 01:47:26	20
    137.74.46.89	 	 	05-19-2017 01:43:51	20
    79.98.29.93	 	 	05-19-2017 01:37:48	20
    52.168.150.50	 	 	05-19-2017 01:34:56	20
    139.59.43.56	 	 	05-19-2017 01:32:03	20
    74.15.112.89	 	 	05-19-2017 01:16:53	20
    213.231.4.18	 	 	05-19-2017 01:11:44	20
    138.201.139.215	 	 	05-19-2017 01:09:08	20
    87.229.63.5	 	 	05-19-2017 00:58:06	20
    207.154.200.64	 	 	05-19-2017 00:00:39	20
    73.74.204.238	 	 	05-18-2017 22:14:14	20
    144.217.238.161	 	 	05-18-2017 20:37:44	20
    94.242.229.4	 	 	05-18-2017 20:04:00	20
    213.136.71.143	 	 	05-18-2017 20:03:09	20
    5.39.79.51	 	 	05-18-2017 19:45:24	20
    118.103.126.140	 	 	05-18-2017 19:28:57	20
    178.238.236.169	 	 	05-18-2017 19:15:32	20
    68.199.230.8	 	 	05-18-2017 19:04:38	20
    144.76.238.49	 	 	05-18-2017 19:02:12	20
    35.166.117.94	 	 	05-18-2017 18:56:25	20
    123.243.6.18	 	 	05-18-2017 18:52:20	20
    45.32.253.23	 	 	05-18-2017 18:35:17	20
    71.88.44.248	 	 	05-18-2017 17:09:27	20
    45.76.2.199	 	 	05-18-2017 16:58:55	20
    221.143.48.160	 	 	05-18-2017 15:48:09	20
    138.197.152.24	 	 	05-18-2017 14:36:59	20
    188.40.118.148	 	 	05-20-2017 19:49:42	19
    86.147.77.89	 	 	05-19-2017 03:11:30	18
    136.60.165.133	 	 	05-19-2017 03:10:19	18
    95.220.210.56	 	 	05-19-2017 02:47:39	18
    45.56.33.21	 	 	05-19-2017 02:32:21	18
    141.168.96.122	 	 	05-19-2017 02:28:00	18
    91.201.25.145	 	 	05-19-2017 02:00:44	18
    59.10.140.44	 	 	05-19-2017 01:21:14	18
    135.0.151.143	 	 	05-18-2017 21:46:52	18
    212.56.108.81	 	 	05-18-2017 18:58:06	18
    188.192.90.218	 	 	05-18-2017 17:08:18	18
    24.226.88.180	 	 	05-18-2017 17:05:45	18
    188.64.128.175	 	 	05-18-2017 14:34:55	18
    149.202.184.140	 	 	05-19-2017 03:21:45	17
    45.76.171.135	 	 	05-19-2017 01:49:02	17
    52.55.37.26	 	 	05-20-2017 07:59:07	16
    188.24.50.216	 	 	05-19-2017 03:21:44	16
    104.237.2.90	 	 	05-19-2017 03:14:39	16
    74.68.105.77	 	 	05-19-2017 03:06:47	16
    52.208.46.161	 	 	05-19-2017 03:00:18	16
    91.121.65.105	 	 	05-19-2017 02:57:12	16
    74.207.244.183	 	 	05-19-2017 02:52:47	16
    45.52.91.216	 	 	05-19-2017 02:46:16	16
    67.205.160.207	 	 	05-19-2017 02:34:17	16
    52.184.197.9	 	 	05-19-2017 02:30:53	16
    Showing 1 to 250 of 250 entries
    
    




  • @johnpoz:

    you sure some of those are not out of state hits?  The udp is all just noise.. I really see no pint in logging it to be honest..

    If those are SYN hits, then yes its directed traffic.  If its out of state its possible it just left over packets from after you closed a session, etc… your 23, 22, 1433 are real common you will see lots of those.  Bots searching the net for open shit hey can try and exploit.  The high ports could be just junk.

    It is curious that your seeing a few ports make up large % of it though.. I checked my logs I have not seen any hits to 30303 tcp at all..

    Again what is the time frame in these graphs, last 24 hours?  Last hour? etc..  If your curious do a packet capture on your wan on that port and might give you some insight to what it is.  For sure will tell you if syn or just out of state ack.  If ack, take a look at your state table do you see any traffic going somewhere with that 30303 as source port?

    I checked my firewall log this morning and some are TCP:S and the others are UDP. This port is still in the top 2 of overall blocks along with port 1433. As for the timeframe in my screen shots from the last post, that was a 2 week snap shot. I did a 2 day snapshot it is posted below.





  • Rebel Alliance Global Moderator

    The pfmonitor doesn't really have a lot of players in it reporting traffic..  But its odd that it is showing that many hits while dshields is showing like nothing

    https://www.dshield.org/port.html?port=30303




  • Just an update. port 30303 tapered off for a few day (was about 30% of blocked) and now it is back up. Should I be concerned here?


  • Banned

    I wouldn't think so considering it's being blocked.


  • Rebel Alliance Global Moderator

    Should you be concerned with any of the other ports that are being blocked?  Unless it was 1000's of hits a seconds its just noise like everything else..



  • I'm blocking an average of 10pps. Some days it's about 5pps and others it's about 15pps. 9200 blocked packets is 10min-30min of activity on my home connection.


  • Rebel Alliance Global Moderator

    So very low level background noise then..