When looking at my firewall logs, I see attempts to get to my public IP address with UDP packets and destination port 52217. My firewall drops them as it should. But I ran a trace on that segment, and then noticed that a private IP address was hitting my public IP address with that same destination port of 52217 at 1205 second intervals. The MAC address associated with that IP address was a Cisco device and it was very probably the default gateway of my ISP. I say this because I saw a lot of ARP requests coming from that MAC address.
I called my ISP and asked if they had a security specialist I could speak to regarding this. Naturally, I was told that if I was not running the security package they provide, that there was nobody for me to speak with. I escalated it to a supervisor who was nice enough to take the information I could give him, and was told that he would take it up with a problem resolution team. I haven't heard anything since.
So, why do udp packets with destination port 52217 seem to be so prevalent, and why would a Cisco router/firewall be sending them? I could see it if these were workstations that had been compromised in some way. Is it possible that this Cisco device has been compromised? BTW, I no longer see those packets from that device.
asked 19 Oct '10, 10:49
This is really open ended. Every 20 minutes you're getting hit with a UDP packet to your external interface. The layer 2 address will likely always be the carrier's upstream MAC address - depending on how you're connected there are only going to be 2 devices on the link, you and them. Given THAT, it's not likely that the UDP traffic is truly originating from the MAC address you're seeing. What kind of device are you getting the log data from? If you can grab the whole packet you may be able to dive into it a bit more. I would lean toward it being P2P related...
answered 19 Oct '10, 11:10
Are there several public IP addresses communicating to that port to an internal address? If so, locate the internal system and check the Skype preferences. You will probably find your mysterious port number there.
(at least that's where I found the answer to similar traffic on my laptop :-))
answered 19 Oct '10, 13:56
If you do not have a static IP address but get a new one every now and then this can easily happen, for example if somebody else had that IP address before you and was running a Torrent program to download files. Those often use random high ports for their communication. When he goes offline (and the IP wanders over to you) the other torrent users out there will still try to reach him and fail, and might even do that on a regular basis (probably thinking "well, maybe the torrent guy is back... now?... or... now?... or... now?..." :-))
Maybe there even is someone trying to run a torrent program on your network and wonders why it doesn't work (since your firewall keeps blocking the incoming packets). As far as I know torrent programs register themselves on a tracker that tells all other participants "hey, there is this new guy on IP x.x.x.x using port 52217 and he wants to download the torrent content", and they start sending (or trying to).
And like the others said - the MAC address will most certainly be the one from the router of the ISP forwarding the frame to you, but the packet will most certainly not originate from the ISP but merely be forwarded.
answered 19 Oct '10, 15:52
edited 19 Oct '10, 15:56
I know this is old - but I found a reference to that port on Fujitsu's site:
52217 is apparently the default UDP port that their "scansnap" software looks for mobile devices on.
answered 10 Apr '15, 09:11