I've been having some issues with my website and recently dealt with a minor DDoS attack that caused my server to go down for days. To stop it, I had to use GeoIP bans on entire countries, which, while not the best practice, did work in my case. Since then, I've been keeping an eye on my firewall logs and noticed a lot of probing attempts to port 42906. My firewall blocks this port, but I'm curious why there are so many connection attempts, sometimes multiple times per minute from various IP addresses. I did some research, but it seems this port is just part of the ephemeral range. For the most part, the connection attempts are TCP, but there are a few UDP ones as well. It's worth noting that this is a hardware firewall, so these connections don't reach my web server since that port is closed there too. Any ideas on what's going on?
2 Answers
You might want to check if there's anything listening on that port first. If you're on a Linux box, try running `netstat -tap | grep 42906` or `lsof | grep 42906`. You can also try using nmap from another machine to see if that port responds. It's possible that there's something misconfigured, or it's just a target for random probing.
If you can swing it, consider getting a web app firewall (WAF) service. You could set up access rules to only let certain IPs through, and it would handle the bulk of your security defenses. I had a similar experience, and a WAF really simplified the process of whitelisting and blacklisting, plus it helped protect against more sophisticated attacks.
I know Cloudflare offers WAF, but I’m currently on the free plan, which doesn't include those features. My setup uses a pfSense firewall, and it was effective in stopping the DDoS after I implemented GeoIP blocking.
I did check all my servers on the network, and none of them have that port open.