Results 1 to 7 of 7

Thread: What does port 28916 do?

  1. #1
    Junior Member
    Join Date
    Aug 2003
    Posts
    28

    What does port 28916 do?

    My firewall log at home and at work are filled with attempts to connect to 28916 all udp traffic from thousands of ip addresses. I cannot figure out what this port normally does and why they keep trying to connect so much. 16% of all incoming connections at my home have a source port of 6881 so that makes me think it has something to do with bittorrent, but my work doesn't ever use bittorrent. One ip address has 6210 attempts to connect and counting, starting over two months ago. Anyone else seeing this in their logs?

    BTW, the logs at my home are from the last 54 days (odd number huh, that's when I got my m0n0wall up and running)

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    http://www.iana.org/assignments/port-numbers doesn't have anything listed for 28916. You could be seeing a (new?) form of (D)DoS attack. Someone wants to smurf you, so they post a BT seed that shows your IP as the source, and they list the seed as a highly desired app/movie/song/whatever, and wheeeeeeeee the BT p2p junkies do all the nasty work.

    Not sure how completely feasible that is, I'm not familiar with the inner workings of BT, but I don't see why that, or a modified version, wouldn't work.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    218
    Are you completely sure that a user at your work is not using bit-torrent, or seeding torrent files? I am not really sure how someone could post a "fake" torrent with someone elses ip... When you upload or seed a file, you have to be active to seed it. If your connection drops before the seed is complete, the file becomes a worthless torrent without a complete seed. No one would bother to try and download an incomplete torrent, and it would have to come from the originating host. No host, no torrent.

    I would sniff the traffic and see if an internal ip on your LAN is attempting to use bit-torrent, or other P2P networks. You may have traffic going out from a user, but then your wall is blocking the incoming requests. Find the user and slap his wrists =)

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    zencoder: I had an idea along those lines a while ago... It doesn't take much to tell a tracker that you are participating in a torrent. You can then update fake statistics (how much you've downloaded or what you have to share, etc.)

    Some thoughts I jotted down in the past...

    Bittorrent uses trackers to help peers find each other. A peer announces itself to the tracker using a HTTP GET request. The tracker then refers the peers to a randomly selected set of peers to trade the files between. We know how easy it is to modify HTTP GET requests and to spoof source IPs.... hmmm...

    Therefore, if someone was to go through the trouble of finding a bunch of very popular .torrents (new movies, new music, *nix distros, .torrents posted on /., etc.) and make a list of the trackers, the trackers' databases of "participating peers" might be able to be poisoned.

    When peers are looking for participating peers to download from, the trackers will refer them to the target you've spoofed. I'm not sure how long these trackers keep the peers in the database, but I've seen traffic hit my firewall DAYS after stopping a .torrent transfer.

    Since the target won't be running a torrent client/server, then the traffic will most likely be dropped at the firewall. But, it will still use up bandwidth. If you poison enough trackers to refer peers to the target, you could use up a lot of bandwidth.
    I was going to mess around more with it and see if I could get a working script to do that... and attack myself... but I got busy with school and I never picked it back up. I could have sworn I read an article about being able to update the tracker with fake statistics, etc.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Could it be something like MediaSentry scanning for bittorrent traffic???
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I was going to look up the port history on isc.sans.org but I can't seem to connect...
    Hmm.. thats strange... I was able to get there last night and I can get to sans.org

    Anyway, didn't really look like that port was being scanned for too much when I looked last night.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Junior Member
    Join Date
    Aug 2003
    Posts
    28
    Every machine we have logs everything the user does, every application opened. Bandwidth is also monitored, no bt applications have been opened internally and no rise in bandwidth usage has been seen. If I saw anyone with bt open and eating our bandwidth to download their illegal music/videos/junk the next day the wouldn't have an account anymore.

    It almost looks like the source port numbers i'm seeing are suppose to be a distraction to keep me from figuring out what the packets are really from.

    Overall statistics for today on my home firewall show 44% of all inbound traffic that was blocked was going to port 28916, 10% port 0, 3% port 1027, 2% 1026, and so on.

    Of 9499 blocked inbound traffic 4187 of them were for port 28916 from 1391 source ip addresses.

    If this is a new kind of DDoS, what application is it targeting?

    These packets can't DDoS me because they are udp, they are small, and they are dropped using almost no cpu power on the firewall.

    I'm going to have to set it to not log any dropped frames from this port because it's filling my logs too fast.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •