All,
From the most recent 12-hour NetFlow sampling, these are the ports most commonly attempted to IPs in my subnet (for which I host no available inbound services and have a general firewall rule against):
tcp/22 - SSH tcp/23 - Telnet tcp/ 2323 - Telnet 'Alternative' tcp/2222 - SSH 'Alternative' tcp/631 tcp/3306 tcp/3389 - Microsoft Remote Desktop Protocol tcp/5358 tcp/5555 tcp/8081 tcp/8888 tcp/9200 udp/161 - Simple Network Management Protocol udp/523 udp/623 tcp/502 udp/5060 - Session Initiation Protocol - Voice over IP
ICMP Packets not corresponding to any sent packets:
ICMP Time-Exceeded-In-transit ICMP Destination-Host-Unreachable ICMP Destination-Port-Unreachable
Other:
ICMP Echo-Request (normal pinging)
These four particular NetFlow data are somewhat alarming, since it appears a RIP packet may have been attempted to be sent:
2017-04-29 20:56:05.866 0.000 TCP94.102.49.193:31430 http://192.168.7.9/nfsen/nfsen.php#null ->44.60.44.131:8099 http://192.168.7.9/nfsen/nfsen.php#null 1 40 1 2017-04-29 21:22:16.421 0.000 UDP94.102.49.193:12902 http://192.168.7.9/nfsen/nfsen.php#null ->44.60.44.2:520 http://192.168.7.9/nfsen/nfsen.php#null 1 52 1 2017-04-29 21:41:19.325 0.000 TCP94.102.49.193:1702 http://192.168.7.9/nfsen/nfsen.php#null ->44.60.44.131:9051 http://192.168.7.9/nfsen/nfsen.php#null 1 40 1 2017-04-29 22:06:55.283 0.000 TCP94.102.49.193:26459 http://192.168.7.9/nfsen/nfsen.php#null ->44.60.44.131:4911 http://192.168.7.9/nfsen/nfsen.php#null 1 40 1
This occurs 24x7x365. Those who do not run firewalls to block services from the Internet should really consider it.
- KB3VWG