Listen Port Getting Nailed by Packets

[FlungPup]

Hi everyone!

So I'd been using BitComet for a few months now but I'd only recently installed and started up Protowall. Now right away I noticed Protowall blocking packets to and from my listen port to wierd places, mostly places that sound like their from China. Then I found that those packets were being blocked, and alot not being blocked, on that same port and I'm NOT running anything. I'm just at my desktop. :huh:

So I change the listen port and set up a firewall trap on the old one which is blocking packets every few seconds, but I'm getting the same ip's and packets on my new listen port. Reboot to my desktop and sure enough Protowall is denying all these packets to and from my new listen port just like before.

It's like something knows what listen port I'm using for BitComet and nailing that port all the time. Is that a proper summation of these events? Is this cool or should I flee?

:unsure:

[flexy123]

Hi everyone!

So I'd been using BitComet for a few months now but I'd only recently installed and started up Protowall. Now right away I noticed Protowall blocking packets to and from my listen port to wierd places, mostly places that sound like their from China. Then I found that those packets were being blocked, and alot not being blocked, on that same port and I'm NOT running anything. I'm just at my desktop. :huh:

So I change the listen port and set up a firewall trap on the old one which is blocking packets every few seconds, but I'm getting the same ip's and packets on my new listen port. Reboot to my desktop and sure enough Protowall is denying all these packets to and from my new listen port just like before.

It's like something knows what listen port I'm using for BitComet and nailing that port all the time. Is that a proper summation of these events? Is this cool or should I flee?

:unsure:

oh..i see your point. you are NOT running any applications with any internet-access ?

You very likely are behind a router...either yours or your ISPs...and connections are still "open".....some routers hold connections open for long periods of time. And from an older P2P session still someone tries to connect to your IP.

Also...if you're behind a NAT router (a router which is ahred by many users incl. you at your ISP)...possible that stuff comes in from there even if you're not the one being online.

Also..spyware/virus is a possibility.

go into CMD adn do a "netstat -a" which should show you all connections in/out.

[FlungPup]

I do have a router. Lynksys G something or other. I thought maybe some sort of buffer may have been playing itself out so I checked in the morning after the pc was shut down all night and sure enough packets started coming and going on the listen port. Both the old one and the new one actually.

This isn't normal is it?

I've run my spy and anit virus (trend micro) and I've been to grc.com and ran all their scans and my pc is in full stealth mode.

this netstat command. Is there anything I should look for? I'm not familiar with the command or what I'm seeing with it.

Thanks for the info too btw...

FP

[kluelos]

You might try that on a port you have never used for BitComet, but above 50000 and see what you get.

There are two sources for these packets. When you start a torrent, you send a message to the tracker, "add me to the swarm, here's my IP address and listen port". The tracker sends you a list of current swarm members and their status. From time to time, you re-scrape the tracker, and get an updated list of swarm members.

Meantime, all those other members are also scraping the tracker from time to time and getting the list showing you as a member. Some of them try to contact you at your IP address, on your stated port. If you quit the swarm properly, your client sends a message to the tracker to be take it out of the swarm memberlist. Even so, it will take a while for everyone to successfully re-scrape, and get a new member list that doesn't include you.

If you don't quit properly and just leave, the tracker may eventually figure out that you're not there anymore (because you haven't scraped for a long time) and remove you from the list. That may take hours. Meantime, you're still on the list so others continue to try to contact you.

That's one source. It's harmless. The other source, and the one you may find when you try the never-used port test, is basically malicious. You're being probed in hopes of a response, indicating that you have been or can be compromised. This is why we have firewalls, and why you should never, ever, connect to the internet without one.

[FlungPup]

Ahh I see.

So how does one quit properly? Stop a torrent instead of just killing the prog?

I was freaked because it seemed to follow the listen port which I had setup for the router to forward for BC. I'm still getting some packets to the old port but it has calmed down having been a whole day since I changed it. But my Trend firewall didn't log anything until I added a denial for that port in the exceptions list after I changed the permissives for BC at the router and the firewall.

hmmmm...

Thanks,

FP