FWIN,2004/02/14,21:03:48 -5:00 GMT,209.x.0.70:2785,10.x.4.254:3127,TCP (flags:S)
FWIN,2004/02/14,21:03:56 -5:00 GMT,209.x.0.70:x52,10.x.4.254:31x,TCP (flags:S)
FWIN,2004/02/14,21:04:04 -5:00 GMT,209.x.0.70:2917,10.x.4.254:1080,TCP (flags:S)
FWIN,2004/02/14,21:09:38 -5:00 GMT,212.x.150.131:1025,10.x.4.254:135,TCP (flags:S)
FWIN,2004/02/14,21:12:54 -5:00 GMT,193.x.53.241:1903,10.x.4.254:901,TCP (flags:S)
FWIN,2004/02/14,21:13:38 -5:00 GMT,63.207.x.185:0,10.x.4.254:0,ICMP
FWIN,2004/02/14,21:25:20 -5:00 GMT,217.82.2x.145:40410,10.x.4.254:137,UDP
FWIN,2004/02/14,21:27:12 -5:00 GMT,207.x.42.70:4778,10.x.4.254:135,TCP (flags:S)
FWIN,2004/02/14,21:x:58 -5:00 GMT,63.191.193.x:3631,10.x.4.254:135,TCP (flags:S)
FWIN,2004/02/14,21:37:58 -5:00 GMT,63.x.214.3:0,10.x.4.254:0,ICMP (type:8/subtype:0)
FWIN,2004/02/14,21:56:22 -5:00 GMT,65.24.59.x5:1979,10.x.4.254:3127,TCP (flags:S)
FWIN,2004/02/14,21:59:48 -5:00 GMT,216.x.10.130:0,10.x.4.254:0,ICMP (type:8/subtype:0)
FWIN,2004/02/14,21:59:50 -5:00 GMT,218.x.58.87:3860,10.x.4.254:445,TCP (flags:S)
FWIN,2004/02/14,21:59:50 -5:00 GMT,218.x.58.87:3861,10.x.4.254:139,TCP (flags:S)



Notice in particular the attempted scans/connects to mydoom ports(I'm not infected nor do I have an open port on 3128/27). This is behind my ISPs NAT router. None of these IPs are owned by my isp, so they are all outside traffic, and I have a private IP, (10.x)

But this is not the only time I've seen this. I've gotten windows messenger popups(the real thing, not MSN messenger or web faked ones) behind linksys/dlink broadband routers with nat and no port forwarding configured.

Perhaps some broadband routers automatically forward requests to open services, but I'm more interested in the ISP situation as it can't possibly be doing this with hundreds of clients behind its NAT router.