On Thu, Sep 13, 2001 at 10:02:41AM -0700, Gregory Hicks wrote:
> Think this might be better answered by the firewall wizards... I
> believe they already have such a list or can point to such a list...
I'll chime in here and add what I can. I'd really love to see the
canonical list, if one already exists. It might also be worth while
to note how to block these as well. Some like AudioGalaxy are a little
more difficult to block until one figures out which CIDR blocks to
blackhole.
> 1214 - napster and the like
1214/TCP is KaZaA/Morpheus
> 5000
5500/TCP and 5501/TCP are HotLine
> 5555
> 6346 - Gnutella and clones
> 7777
> 8311
This is/was Scour Exchange. I believe that it's dead.
> 8875
> 8888 - AudioGalaxy?
AudioGalaxy also port 20 or 21 (can't remember which), *much* to
the consternation of some intrusion detection systems which attempt
to analyze FTP traffic. :-(
> 6257 - WinMX TCP
> 6699 - WinMX UDP
Cool, I was wondering what program was creating all of that 6257/TCP
and 6699/UDP traffic.
Another one that I've seen is some music exchange program, possibly
Korean in origin, that generated huge amounts of 9001/UDP packets.
You can identify this one by telneting to the machine that is generating
the UDP traffic on 9002/TCP. If you get something like this:
MTP 1.0
as a response, then you've found this one. I was once told the name
of the Korean program, but I've since forgotten it.
Paul
--
Paul Dokas dokas@cs.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Mon Sep 17 2001 - 09:07:35 PDT