# UDP Port 1024 Attempts



## jeffcarpio (Feb 27, 2010)

I am seeing UDP Port 1024 attempts every few seconds in my firewall logs.  

The searching I have done show it 'could' be related to the spynet rat application.  

The attempts are being blocked, so I guess it is more annoying than anything else.  

Does anyone have any information about these attempts?  Any recommendations for stopping these attempts?  I was thinking about calling my ISP.


```
0:00:01 IN=eth2 OUT= MAC=00:11:0a:98:54:3d:00:d0:9e:45:97:11:08:00 SRC=112.205.30.128 DST=99.132.134.223 LEN=126 TOS=0x00 PREC=0x00 TTL=115 ID=3752 PROTO=UDP SPT=9293 DPT=1024 LEN=106 
00:00:01 IN=eth2 OUT= MAC=00:11:0a:98:54:3d:00:d0:9e:45:97:11:08:00 SRC=61.231.49.184 DST=99.132.134.223 LEN=126 TOS=0x00 PREC=0x00 TTL=116 ID=6016 PROTO=UDP SPT=27362 DPT=1024 LEN=106 
00:00:09 IN=eth2 OUT= MAC=00:11:0a:98:54:3d:00:d0:9e:45:97:11:08:00 SRC=72.230.39.172 DST=99.132.134.223 LEN=51 TOS=0x00 PREC=0x00 TTL=116 ID=22891 PROTO=UDP SPT=40526 DPT=1024 LEN=31 
00:00:11 IN=eth2 OUT= MAC=00:11:0a:98:54:3d:00:d0:9e:45:97:11:08:00 SRC=72.230.39.172 DST=99.132.134.223 LEN=51 TOS=0x00 PREC=0x00 TTL=116 ID=23086 PROTO=UDP SPT=40526 DPT=1024 LEN=31 
00:00:14 IN=eth2 OUT= MAC=00:11:0a:98:54:3d:00:d0:9e:45:97:11:08:00 SRC=72.230.39.172 DST=99.132.134.223 LEN=51 TOS=0x00 PREC=0x00 TTL=116 ID=23461 PROTO=UDP SPT=40526 DPT=1024 LEN=31 
00:00:15 IN=eth2 OUT= MAC=00:11:0a:98:54:3d:00:d0:9e:45:97:11:08:00 SRC=114.183.238.178 DST=99.132.134.223 LEN=129 TOS=0x00 PREC=0x00 TTL=113 ID=47795 PROTO=UDP SPT=8617 DPT=1024 LEN=109 
00:00:20 IN=eth2 OUT= MAC=00:11:0a:98:54:3d:00:d0:9e:45:97:11:08:00 SRC=71.20.196.146 DST=99.132.134.223 LEN=131 TOS=0x00 PREC=0x00 TTL=113 ID=29408 PROTO=UDP SPT=24107 DPT=1024 LEN=111 
00:00:21 IN=eth2 OUT= MAC=00:11:0a:98:54:3d:00:d0:9e:45:97:11:08:00 SRC=72.230.39.172 DST=99.132.134.223 LEN=51 TOS=0x00 PREC=0x00 TTL=116 ID=24107 PROTO=UDP SPT=40526 DPT=1024 LEN=31 
00:00:22 IN=eth2 OUT= MAC=00:11:0a:98:54:3d:00:d0:9e:45:97:11:08:00 SRC=202.121.0.194 DST=99.132.134.223 LEN=129 TOS=0x00 PREC=0x00 TTL=110 ID=18444 PROTO=UDP SPT=16001 DPT=1024 LEN=109 
00:00:22 IN=eth2 OUT= MAC=00:11:0a:98:54:3d:00:d0:9e:45:97:11:08:00 SRC=89.201.136.30 DST=99.132.134.223 LEN=105 TOS=0x00 PREC=0x00 TTL=110 ID=29899 PROTO=UDP SPT=65535 DPT=65535 LEN=85
```


Thanks for looking!

- Jeff


----------



## honk (Feb 27, 2010)

I don't know what it is and I also would not care about it on my firewall if the packet rate is not too high. Possibly it's p2p traffic destined to your ip and this ip was formerly used by someone else. But I'm curious whats inside the udp packet, could you please post the payload of some example packets (e.g. tcpdump -s 1500 -X)?


----------



## DutchDaemon (Feb 27, 2010)

Why are we looking at iptables output anyway?


----------



## jeffcarpio (Feb 28, 2010)

I thought this would be the best place to figure out a firewall issue.  

If you don't mind; I will jump off topic...
I am building an FreeBSD PF firewall, but am having no luck with getting my internal lan out to the internet.  I have the sysctl.conf setup to route packets.  My internal computers can ping each other and the firewall NICs, but nothing outside of the firewall.  Should I setup a DNS server and can it be apart of the firewall box?


----------



## DutchDaemon (Feb 28, 2010)

jeffcarpio said:
			
		

> I thought this would be the best place to figure out a firewall issue.



A *FreeBSD* firewall issue, yes .. I'm sure you can discuss your iptables output on one of the 500 Linux distros' forums.



> If you don't mind; I will jump off topic...



I do mind. Please open a new topic for this issue. That is the general rule here.


----------

