Strange Outbound traffic

For some reason I seem to be spewing outbound traffic from one of my computers.

An example:

04/06/2011 21:44:54 **TCP FIN Scan** 192.168.2.102, 33161->> 208.43.120.24, 80 (from PPPoE1 Outbound)
04/06/2011 21:44:54 **TCP FIN Scan** 192.168.2.102, 48911->> 208.43.87.2, 80 (from PPPoE1 Outbound)
04/06/2011 20:12:23 **TCP FIN Scan** 192.168.2.102, 34290->> 208.67.212.165, 80 (from PPPoE1 Outbound)
04/06/2011 20:12:23 **TCP FIN Scan** 192.168.2.102, 40824->> 208.201.239.112, 80 (from PPPoE1 Outbound)
04/06/2011 20:12:23 **TCP FIN Scan** 192.168.2.102, 33139->> 66.117.16.23, 80 (from PPPoE1 Outbound)
04/06/2011 20:12:23 **TCP FIN Scan** 192.168.2.102, 43443->> 208.201.239.100, 80 (from PPPoE1 Outbound)
04/06/2011 20:12:23 **TCP FIN Scan** 192.168.2.102, 57547->> 208.201.239.101, 80 (from PPPoE1 Outbound)
04/06/2011 20:12:23 **TCP FIN Scan** 192.168.2.102, 37166->> 81.22.38.99, 80 (from PPPoE1 Outbound)


The router, which is brand new, is a SMC ADSL Barricade N Pro
The computer only has firefox, chrome, thubderbird, skype, tomcat and mysql on it: No games, not torrent software, etc.


It's quite confusing.

Those are connections to websites, you're visiting. Notice the random large port numbers(which make your computer more secure) for your computer ip address(192.168.2.102) and they're connected to the 80 port(http) of the websites' ip addresses.

sartresrook,
From http://www.dnsstuff.com/?ptype=free

IP Information - 208.43.120.24
IP address: 208.43.120.24
Reverse DNS: hades.bleepingcomputer.com.
Reverse DNS authenticity: [Verified]
ASN: 36351
ASN Name: SOFTLAYER
IP range connectivity: 6
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 208.40.0.0 to 208.47.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): -- []
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 208.43.120.24

IP Information - 66.117.16.23
IP address: 66.117.16.23
Reverse DNS: content.atomz.com.
Reverse DNS authenticity: [Verified]
ASN: 19041
ASN Name: WSCS
IP range connectivity: 6
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 66.116.0.0 to 66.117.255.255
Country fraud profile: Normal
City (per outside source): San Bruno, California
Country (per outside source): US [United States]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 66.117.16.23

PPPoE1 links - might be related to your gear
http://forum.bitdefender.com/index.php?showtopic=21958
I don't know what the "1" at the end means.

PPPoE is point-to-point over ethernet - a type of protocol normally used by DSL providers.
http://en.wikipedia.org/wiki/Point-to-Point_Protocol

Are you on Windows XP? if so, those ports are not normal (unless it's a DNS request).
If Windows7 or Vista, the high numbers of your local ports might be ok.

What made the log you posted with entries such as
"04/06/2011 21:44:54 **TCP FIN Scan** 192.168.2.102, 33161->> 208.43.120.24, 80 (from PPPoE1 Outbound)"
TCP FIN is ok, but what puts "Scan" word in?

TCP outbound to bleepingcomputer website's port 80 is you making a connection to bleepingcomputer

Thank you so much for your posts! Thanks also for that handy link dnsstuff.com

The logs I posted were created by my SMC router itself: ie I am viewing the logs by logging into that router.

I'm running ubuntu 10.4 (dual boot to xp but everything I've posted here so is that linux machine interacting with that smc router)

But I'm dangerously ignorant of this stuff and really, really appreciate learning more.


So do I understand correctly that a message like:
**TCP FIN Scan** 192.168.2.102, 37166->> 81.22.38.99, 80 (from PPPoE1 Outbound)

Happens when browsing with say Firefox, some of the page requests are converted to port 37166 and the router changes them back to port 80 before querying the server?

If so, how did a request on port 37166 get past my computer's firewall which is "deny out" for all but a few ports (certainly not 37166)

Does it mean the machine with lan ip 192.168.2.102 made a request on port 37166 to 81.22.38.99 which the router converted to port 80?

So do I understand correctly that a message like:
**TCP FIN Scan** 192.168.2.102, 37166->> 81.22.38.99, 80 (from PPPoE1 Outbound)

Happens when browsing with say Firefox, some of the page requests are converted to port 37166 and the router changes them back to port 80 before querying the server?

When you connect to a webpage, a TCP connection is made, from a local port (here 37166) to the standard web server's port 80, the server's IP being 81.22.... in this instance. The server then sends pages to your port 37166, as that's what the TCP protocol established in the first place when you connected. The server, to send you data, has to know your IP and which port to send the data. It's an agreement of sorts. If you open another session or anothe browser, you will see that agreement happen over a different port. Often several ports. Also in the picture is your router which translates your real, external IP which is exposed to the internet, to your LAN IP address.

If so, how did a request on port 37166 get past my computer's firewall which is "deny out" for all but a few ports (certainly not 37166)

When you request an outgoing connection, a router normally will permit. How else would you communicate with the internet if you block all outbound. Do you really have a rule in the firewall to block outbound? If so, what is the firewall, and can you quote the rule? Also are you using Vista or Windows7? On XP the local ports would be, roughly 1024-5000. So if you are on XP, outgoing traffic over a high port number might indicate trouble. Except for DNS requests.

Does it mean the machine with lan ip 192.168.2.102 made a request on port 37166 to 81.22.38.99 which the router converted to port 80?

Once again: your computer, local port 37166 communicates with the webserver, port 80 (http) or 443 (https) for secure connections. No, no conversion is taking place. One conversion is the translation of who you are. Router packs up your local IP and the requesting port into an outer envelope which contains the external IP and router's port. Router keeps a log of what's what. When the data comes back to you, router strips the external envelope and delivers the data to your local IP and local port.

]If so, how did a request on port 37166 get past my computer's firewall which is "deny out" for all but a few ports (certainly not 37166)

When you request an outgoing connection, a router normally will permit. How else would you communicate with the internet if you block all outbound. Do you really have a rule in the firewall to block outbound? If so, what is the firewall, and can you quote the rule? Also are you using Vista or Windows7? On XP the local ports would be, roughly 1024-5000. So if you are on XP, outgoing traffic over a high port number might indicate trouble. Except for DNS requests.

Thank you for that explanation: very informative!

But about the firewall allowing port 37166. I imagine the router would allow outbound connections on that port.

But my computer itself (which is linux ubunbtu) has the flowing firewall settings.


Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To Action From
-- ------ ----
53/udp ALLOW OUT Anywhere
21,80,443,465,995/tcp ALLOW OUT Anywhere
1863,5222,5223,6667,8010/tcp ALLOW OUT Anywhere
5222/udp ALLOW OUT Anywhere
Anywhere DENY OUT Anywhere



As you see, it allows port 80 (and some others) but not 37166. How does the browser make connections on port 37166 given these firewall settings?

Think of it this way:
<YourIP + local port> is allowed to talk with <Remote IP + remote port> using a specified protocol, TCP or UDP.
You make the connection. Remote synchronizes with you and can talk back.

Your rules specify which remote ports you can connect to and which protocols. And no other remote ports permitted.
Your rules do not restrict local ports.
[comment: On Windows XP I restrict local ports to 1027-5000 as that's what Windows uses for applications].

So to get a URL translated to IP, your computer + any local port is allowed to any IP + port 53, using UDP protocol.
[comment: you could limit remote IPs to your DNS servers, not any old IP. Just as in the firewall you could spcify specific mail servers you use so you'll block sending mail to wrong servers]

To get to bleepingcomputer.com, your IP + any local port is allowed to get bleeping IP from the DNS server's port 53.
Then from your IP + any local port you will connect, by TCP, to bleeping http port 80. Or any other website.

Windows (or ubuntu I'm sure) selects the local port and says to the browser hey, talk to me through this little hole numbered 37166 and I'll talk to your little opening, one of 65 thousand, designated as port 80 (or 443 or 465...).