portsentry woes

[Moses Moore <mmoore@novator.com>]

I installed portsentry lately, and I'm being constantly warned about UDP
connect attempts that I can't otherwise detect, from a machine that (as
far as I can tell) isn't trying to connect.

I installed portsentry on the machine 'izzy' with "apt-get portsentry". 
Default settings.  The machine 205.XXX.216.233 is the gateway given to
me by the co-location facility.

I've been getting constant messages like the following:

> Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9
> Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring
> Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9
> Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring
> Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9
> Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring
> Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9
> Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring

It used to warn me about UDP port 69, but I edited
/etc/portsentry/portsentry.conf and changed the UDP_PORTS line.  Now
it's warning me about port 9.

Thing is, I've used tcpdump and ngrep to listen for any UDP traffic to
find out what the content of port 69 (Trivial FTP) or port 9 (discard)
might be... but I'm not detecting traffic destined for either port,
despite this warning-storm.  The warnings themselves are cluttering up
my syslogs, I'll have to switch to something else.

Can someone explain to me why portsentry is giving what looks like false
postitives?  Alternately, can someone suggest an alternative?