Continous "knocking" on the same port

Hi all!

So i just noticed that my FW log is full of blocked traffic to port 5716 from several diffrent IP’s. I tried to look it up on google bot there is no useful info on it out there. Normally i would book it as some random port scan but this is going in for days now…

I would appriciate any info on what could it be and if i should care about it. Thanks in advance! :slight_smile:

You would have to put a honey por on that port to take the data on that port to truly know, but it could be a port used by a botnet to find infected machines.

I tried packet capture on the router(custom built running pfsense) on that port but i couldnt make any sense the data inside of the packets:

Do you use Avast in any Way? Looks like spam from a domain.

No. I use avira or mcaffe depending on who uses that PC.

But i do have some public game servers and a ddns domain.

Could someone recommend a good guide for setting up a honeypot?(in the meantime i dig up my spare RPI2)

Take a look at they have a subsidiary that offer an open source honey pot and look at STAXX software as well. Think Tom mentioned them on one of his Vlog Thursday casts. would be another great source of info.

Okay, i have HNS with a separate machine running the sensors. forwarded the port to that machine but so far none of the sensors triggered on it…

(Sorry for the long silence, had some trouble with a failed debian upgrade.)

Are the knocks coming from the same IP or are they distributed across many IPs. You may want to block a range of IPs or a whole net block. Use a drop connection.

Its distributed across many IP’s, as it can be seen in the wireshark log. For now im not that worried since the FW blocked them anyway. It just poked up my curiosity, why the hell those IP’s banging on a closed, and unused port…

Ok you are ahead of the game. Some years back Steven Northcutt wrote about similar situations when he wrote the Shadow IDS while working for the Navy. It’s good to be curios never know what you may uncover.