On Thu, Jun 05, 2003 at 10:02:53PM +0200, Christoph Haas wrote:
So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.
No, it's not at all uncommon to see incoming traffic from well known
ports. It's an easy way to bypass weakly configured firewalls. Snort
can detect such activity. Nmap can generate it using the -g flag.
Here's what the nmap man page has to say about it:
-g <portnumber>
Sets the source port number used in scans. Many naive firewall
and packet filter installations make an exception in their rule-
set to allow DNS (53) or FTP-DATA (20) packets to come through
and establish a connection. Obviously this completely subverts
the security advantages of the firewall since intruders can just
masquerade as FTP or DNS by modifying their source port. Obvi-
ously for a UDP scan you should try 53 first and TCP scans
should try 20 before 53. Note that this is only a request --
nmap will honor it only if and when it is able to. For example,
you can't do TCP ISN sampling all from one host:port to one
host:port, so nmap changes the source port even if you used -g.