Looking for secret connections

I woke up too early the other morning and could not get back to sleep. I gave up, got up, and wandered blearily to my office. I turned on my computer and left it while I made myself some breakfast. Finishing that, I opened up Chrome and was about to go to email when I paused. Nothing was happening on my computer, but lights were flashing now and then on the router, so I logged into it to see what traffic was passing through it.

Nothing unusual to see here

As it turned out, not much of anything. Because I use Chrome there were a surprising amount of outgoing connections to Google and a few other things like Dropbox and others that I recognized, but nothing suspicious. If there is any malware on my computer, it certainly wasn't active at that time.

Of course most of the time there is much more going on. The Active Connections list might fill several pages. It could be hard to pick out possibly "bad" connections from all the noise. There are some things to look for, though.

You may have noticed that I added "Destination Port" to the visible columns. Looking for unusual ports is one easy check. Most legitimate connections are to the so-called "well-known" ports and most of those today are likely to be http or https. Mix in a few email connections and that's probably 99% of your outbound connections.

Looking for common ports that shouldn't be being used by certain machines is another - for example, a printer/copier probably shouldn't be making an HTTPS connection. Inbound connections are also something to look at carefully - you know (or should know) which machines do accept inbound traffic; anything else is definitely suspect.

You should have traffic rules that block unexpected traffic - for example, nothing but your mailserver(s) should be allowed to make outbound connections on SMTP ports.

You may also want to turn on the Rx and Tx columns. Seeing high byte counts there might be another indication of suspicious activity. Of course this might just be a legitmate download like a software update. A high number of Tx bytes might be more suspicious.

Looking at these connections from time to time can help you learn what is normal and expected. Another place worth looking is the WAN traffic chart. Unusual peaks of traffic at unexpected times may alert you to unauthorized behavior.

Traffic peaks

In the case shown here, that was just me upgrading my Mac OS software, but seeing that burst otherwise would have caused me to launch a serious investigation.

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Looking for secret connections

Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Anthony Lawrence

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

I was taught that the human brain was the crowning glory of evolution so far, but I think it’s a very poor scheme for survival (Kurt Vonnegut).

Solving today's problems with yesterday's technology,someday (Kevin Brooks Clark)

This post tagged: