Port 12200

As part of my analysis of the attempts on an ADSL router, I have been looking at the source port of the attempts and the majority of scans are coming from port 12200 on the scanning machines.

A quick check of the uses of the port on the interent revealed the following usage:

• employed as one of the switch ports of a storage area network (SAN) of storage disks covered by U.S. patent 6947939, which has the capacity to facilitate communication between two switch ports in different zoning configurations.
• utilized by Tenebril's software Ghost Surf which usually launches up by default as a wide open proxy. It has also been employed by GnucDNA, which is one of the crucial elements in building peer-to-peer (p2p) applications for Gnutella clients or networks.
• has also been recommended as a replacement for the well known port 80 and port 8080 when they are blocked by the Internet Service Provider or when they are rejected by the linksys router.

One common footnote on a number of websites was that port 12200 has been associated with scanners looking for open proxies to take over maliciously, well that ties up nicely with the port being used for open proxies. If I can find the necessary spare equipment I being to put an ADSL modem in front of a firewall and router and fit an ethernet tap to capture the packets from the attempts for a more detailed analysis.