Floods of attempts to access ports

[sbradley2001]

Over the past week or so, my home network has had an increase of attempted access on different ports. The source IP has been different each time, but stuck to 3 TCP/IP ports. The destination address was different each time, but the port was the same. Anyone have any ideas on what could be causing this. All the attempts were stoped by Norton Internet Security. My home network is setup like the following:

1 Windows 2000 Server, Configured as Domain Controler, DHCP, DNS
4 desktop & 2 laptops, all running Windows XP Pro. Desktops are on a wired network and the laptops are connected through a Linksys 802.11b Access point with 64 bit WEP enabled
1 Netgear Security router, connected to a switch on the internal side and a cable modem on the WAN side

All computers have Norton Internet Security running, with the most recent updates installed. Windows on all machines are up to date, including recommended updates and drivers.

The ports that were used follows:

Source -> Destination
2454 -> 11085
4556 -> 11085
2140 -> 11085

Like I said above, both the source and destination IP's were different each time.

If you need more information, let me know. Thanks.

[IKnowNot]

No one has answer yet, so I will. I don’t think I can help you, but I am confused. Maybe you could supply more info so someone else can help.

home network has had an increase of attempted access on different ports. The source IP has been different each time, but stuck to 3 TCP/IP ports

You only listed one port, 11085. What other ports were “targeted”?

The destination address was different each time, but the port was the same. ... both the source and destination IP's were different each time.

What software are you using and how is your network configured that you are receiving traffic not destined for you, or are you using multiple public addresses which were the “target”? Or were the targets private addresses?

All computers have Norton Internet Security running

So exactly at what point in the network did you notice these attempts, and where did they come from?
Did they come from outside the LAN, or inside?
Were they incoming or outgoing?

[Tedob1]

Source -> Destination
2454 -> 11085
4556 -> 11085
2140 -> 11085

just seeing this im not sure if 11085 is a local port like your implying of the port for a remote service like msm which i think it may be.

do a netstat and post it. also download and run fport (from a command prompt), copy and past the results. http://www.foundstone.com/resources/..._detection.htm

[thehorse13]

Hmmmmm, that port is not registered with the IANA http://www.iana.org/assignments/port-numbers so I'm not exactly convinced it is MSN. Again, your description is not very clear so you'll need to fill in the blanks before anyone can point you in the right direction. How about starting simply with the remote IP address being blocked. We can at least query the WHOIS database to see where the traffic is coming from.

--TH13

[Tedob1]

th13 i haven't seen the update iana list before. man has that grown but they dont list as far as i can tell any IM services. i dont have msn here at home so im just guessing and until this guy gives us some real information i kind of think that its his computer connecting to a remote service. if he does have a service listening on the port locally an fport should show it