What does port 28916 do?

Printable View

October 6th, 2005, 03:41 AM
comptech2

What does port 28916 do?

My firewall log at home and at work are filled with attempts to connect to 28916 all udp traffic from thousands of ip addresses. I cannot figure out what this port normally does and why they keep trying to connect so much. 16% of all incoming connections at my home have a source port of 6881 so that makes me think it has something to do with bittorrent, but my work doesn't ever use bittorrent. One ip address has 6210 attempts to connect and counting, starting over two months ago. Anyone else seeing this in their logs?

BTW, the logs at my home are from the last 54 days (odd number huh, that's when I got my m0n0wall up and running)
October 6th, 2005, 05:20 AM
zencoder

http://www.iana.org/assignments/port-numbers doesn't have anything listed for 28916. You could be seeing a (new?) form of (D)DoS attack. Someone wants to smurf you, so they post a BT seed that shows your IP as the source, and they list the seed as a highly desired app/movie/song/whatever, and wheeeeeeeee the BT p2p junkies do all the nasty work.

Not sure how completely feasible that is, I'm not familiar with the inner workings of BT, but I don't see why that, or a modified version, wouldn't work.
October 6th, 2005, 01:36 PM
VanEck

Are you completely sure that a user at your work is not using bit-torrent, or seeding torrent files? I am not really sure how someone could post a "fake" torrent with someone elses ip... When you upload or seed a file, you have to be active to seed it. If your connection drops before the seed is complete, the file becomes a worthless torrent without a complete seed. No one would bother to try and download an incomplete torrent, and it would have to come from the originating host. No host, no torrent.

I would sniff the traffic and see if an internal ip on your LAN is attempting to use bit-torrent, or other P2P networks. You may have traffic going out from a user, but then your wall is blocking the incoming requests. Find the user and slap his wrists =)
October 6th, 2005, 01:58 PM
phishphreek

zencoder: I had an idea along those lines a while ago... It doesn't take much to tell a tracker that you are participating in a torrent. You can then update fake statistics (how much you've downloaded or what you have to share, etc.)

Some thoughts I jotted down in the past...

Quote:

Bittorrent uses trackers to help peers find each other. A peer announces itself to the tracker using a HTTP GET request. The tracker then refers the peers to a randomly selected set of peers to trade the files between. We know how easy it is to modify HTTP GET requests and to spoof source IPs.... hmmm...

Therefore, if someone was to go through the trouble of finding a bunch of very popular .torrents (new movies, new music, *nix distros, .torrents posted on /., etc.) and make a list of the trackers, the trackers' databases of "participating peers" might be able to be poisoned.

When peers are looking for participating peers to download from, the trackers will refer them to the target you've spoofed. I'm not sure how long these trackers keep the peers in the database, but I've seen traffic hit my firewall DAYS after stopping a .torrent transfer.

Since the target won't be running a torrent client/server, then the traffic will most likely be dropped at the firewall. But, it will still use up bandwidth. If you poison enough trackers to refer peers to the target, you could use up a lot of bandwidth.

I was going to mess around more with it and see if I could get a working script to do that... and attack myself... but I got busy with school and I never picked it back up. I could have sworn I read an article about being able to update the tracker with fake statistics, etc.
October 6th, 2005, 02:07 PM
jinxy

Could it be something like MediaSentry scanning for bittorrent traffic???
October 6th, 2005, 02:10 PM
phishphreek

I was going to look up the port history on isc.sans.org but I can't seem to connect...
Hmm.. thats strange... I was able to get there last night and I can get to sans.org

Anyway, didn't really look like that port was being scanned for too much when I looked last night.
October 6th, 2005, 10:09 PM
comptech2

Every machine we have logs everything the user does, every application opened. Bandwidth is also monitored, no bt applications have been opened internally and no rise in bandwidth usage has been seen. If I saw anyone with bt open and eating our bandwidth to download their illegal music/videos/junk the next day the wouldn't have an account anymore.

It almost looks like the source port numbers i'm seeing are suppose to be a distraction to keep me from figuring out what the packets are really from.

Overall statistics for today on my home firewall show 44% of all inbound traffic that was blocked was going to port 28916, 10% port 0, 3% port 1027, 2% 1026, and so on.

Of 9499 blocked inbound traffic 4187 of them were for port 28916 from 1391 source ip addresses.

If this is a new kind of DDoS, what application is it targeting?

These packets can't DDoS me because they are udp, they are small, and they are dropped using almost no cpu power on the firewall.

I'm going to have to set it to not log any dropped frames from this port because it's filling my logs too fast.