3

I'm might embarrass myself with this question, because of something really obvious, but I'm puzzled.

My home broadband firewall log says it has been blocking incoming TCP traffic with a source (!) port of 443. What in the world might that be? If somebody was attempting an HTTPS connection, that would be destination port 443, not source port, right?

Here's the entry from the log file:

[UFW BLOCK] IN=enp3s0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xx.xx.xx.x DST=xx.xx.xx.xx LEN=89 TOS=0x00 PREC=0x20 TTL=59 ID=58112 DF PROTO=TCP SPT=443 DPT=56419 WINDOW=7776 RES=0x00 ACK PSH URGP=0

What might this be trying to do?

Improve this question
5
  • 1
    Anyone can use any source port of their choice. The first 0-1024 reserved port are reserved, but nothing preventing them from making conscious decision to set the source port as 443.
    – Darius
    Commented Feb 3, 2014 at 22:20
  • Why would anybody do this though?
    – Johannes Ernst
    Commented Feb 3, 2014 at 22:21
  • Isn't Port 443 the HTTPS port?
    – dotVezz
    Commented Feb 3, 2014 at 22:22
  • @dotVezz indeed, which is why it is so surprising that this port is the source (rather than the destination) port.
    – Johannes Ernst
    Commented Feb 4, 2014 at 0:12
  • 1
    I'm seeing this a lot coming from Google IP addresses.
    – Michael
    Commented May 27, 2016 at 20:14

4 Answers 4

Reset to default
6

There is nothing restricting which source port you use when you open a TCP connection (it may require root/superuser/admin privileges to use a source port < 1024).

In any case most likely if you are seeing traffic that is originating externally with a source port of 443 what you are seeing is an attack (probably a bot running a script) that is hoping you will have a bug in your firewall configuration (firewall rules) and will let traffic in that originates from port 443 because you almost certainly do allow outbound traffic destined to port 443.

Improve this answer
2

If it is a SYN packet with source port 443 then this is more than likely nefarious. Your packet is an ACK PSH, so it will be a connection you have dropped at your end but the web server you were connected to has not received a FIN or RST packet and keeps sending you data.

Improve this answer
1

You should write more information If you want to know about it. That connection could have been any program. If you wanna know what TCP connections (on port 443) have your computer You can execute the netstat program and check the IP and the program.

# netstat -ntp | grep :443

Also, You can use a sniffer to capture the traffic and see the origin of this connection filtering by port 443 and IP. Additionally, You can do a whois with the IP to see where you are sending.

$ whois <ip>

If you want to see the TCP ports that Your PC has in listening mode execute:

# netstat -lnt

and If You want to see what program is listening use the argument -p

Improve this answer
1
  • I understand what my computer is doing, that wasn't the question I'm afraid.
    – Johannes Ernst
    Commented Feb 4, 2014 at 0:13
0

I think this answer here is also a logical answer:

... A probable reason for this traffic is that your apache server still thinks that the connection is open and is trying to reply to it, while your firewall thinks that the connection is closed and thus that the session is no longer active. This may happen if a connection is idle for a longer time than the conntrack module thinks reasonable. ...

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .