10-06-2003 02:14 AM - edited 03-09-2019 05:02 AM
hello all,
v.quick one.
When a host initiates a TCP connection, does it always use a source port of GT 1023. Are there applications that could init a connection with a source port below 1023 in the reseved range?
Many thx indeed.
10-06-2003 03:10 AM
generally that should be the case. I cannot think of a normal application that uses a source port below 1023 - most port scanning security utilities should have the functionality to specific any source port number that you want
10-07-2003 02:21 PM
in normal network operation it should
applications that "initiate" a session with a src port below 1023 are typically running a service on a PC or Server that has been hacked and "rooted"
thats why it is always good security practice to block outgoing TCP pkts (with the SYNchronization flag set) with src port below 1023.
TCP pkts with ONLY the combinations of SYN-ACK, ACK, PSH ACK, RST, FIN, and FIN-ACK's, should be ok though to let out under 1023 if you have servers on the inside of your network. These usually denote normal network operation (through traffic).
Don Garnett
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide