About a week ago, I put up a quick post asking if anyone knew what kind of traffic is directed at tcp/32709. Since there did not seem to be much known about this port, I did some snooping around myself. I fired up a simple netcat port listener on port 32709 and waited for incoming connections:
$ nc -vvlp 32709 |tee 32709.log
listening on [any] 32709 ...
Warning: forward host lookup failed for hn.kd.dhcp:Unknown host
connect to [126.96.36.199] from hn.kd.dhcp [188.8.131.52] 1976
sent 0, rcvd 106 : Connection reset by peer
While mostly binary, there are some clues in here. Specifically [CHN] and [VeryCD]. Given the fact that all the scans that I detected originated from Chinese IP ranges, I suspect that [CHN] stands for "Chinese". Not sure if it is Chinese encoding, Chinese language, or something else.
The second hint is [VeryCD]. A quick Google for VeryCD turns up
that this is an "eMule based Chinese P2P media directory". Some more
Googling reveals that VeryCD clients are insanely aggressive in probing
for new file-sharing servers. I suspect that this is exactly the
behavior that hit my machine.
For now, I'll keep the following
networks blocked; it took away just about any and all portscanning that
was hitting me (that is; that I detected ;)
yes, that does represent an aweful lot of hosts that can longer read my
blog. I'll live with that; there are plenty legitmate sources as well
as illegitimate sources that carry my content.