Are TCP/UDP IP packets with a source port below 1024 possible

Question

I am analyzing some events against dns servers running unbound. In the course of this investigation I am running into traffic involving queries to the dns servers that are reported as having in some cases a source port between 1 and 1024. As far as my knowledge goes these are reserved for services so there should never be traffic originating / initiated from those to a server.

Since I also know this is a practice, not a law, that evolved over time, I know there is no technical limitation to put any number in the source port field of a packet. So my conclusion would be that these queries were generated by some tool in which the source port is filled with a random value (the frequency is about evenly divided over 0-65535, except for a peak around 32768) and that this is a deliberate attack.

Can someone confirm/deny the source port theory and vindicate my conclusion or declare me a total idiot and explain why?

Thanks in advance.

Edit 1: adding more precise info to settle some disputes below that arose due to my incomplete reporting.

It's definitely not a port scan. It was traffic arriving on port 53 UDP and unbound accepted it apparently as an (almost) valid dns query, while generating the following error messages for each packet:

notice: remote address is <ipaddress> port <sourceport>
notice: sendmsg failed: Invalid argument

$ cat raw_daemonlog.txt | egrep -c 'notice: remote address is' 
256497
$ cat raw_daemonlog.txt | egrep 'notice: remote address is' | awk '{printf("%s\n",$NF)}' | sort -n | uniq -c > sourceportswithfrequency.txt
$ cat sourceportswithfrequency.txt | wc -l
56438

So 256497 messages, 56438 unique source ports used

$ cat sourceportswithfrequency.txt | head 
   5 4
   3 5
   5 6

So the lowest source port seen was 4 which was used 5 times

$ cat sourceportswithfrequency.txt | tail
  8 65524
  2 65525
 14 65526
  1 65527
  2 65528
  4 65529
  3 65530
  3 65531
  3 65532
  4 65534

So the highest source port seen was 65534 and it was used 4 times.

$ cat sourceportswithfrequency.txt | sort -n | tail -n 25
  55 32786
  58 35850
  60 32781
  61 32785
  66 32788
  68 32793
  71 32784
  73 32783
  88 32780
  90 32791
  91 32778
 116 2050
 123 32779
 125 37637
 129 7077
 138 32774
 160 32777
 160 57349
 162 32776
 169 32775
 349 32772
 361 32773
 465 32769
 798 32771
1833 32768

So the peak around 32768 is real.

My original question still stands: does this traffic pattern suggest an attack or is there an logical explanation for, for instance, the traffic with source ports < 1024?

Answer 1

As far as my knowledge goes these are reserved for services so there should never be traffic originating / initiated from those to a server.

It doesn't matter what the source port number is, as long as it's between 1 and 65,535. It's not like a source port of 53 means that there is a DNS server listening on the source machine.

The source port is just there to allow multiple connections / in-flight datagrams from one machine to another machine on the same destination port.

See also Wiki: Ephemeral port:

The Internet Assigned Numbers Authority (IANA) suggests the range 49152 to 65535 [...] for dynamic or private ports.[1]

Answer 2

That sounds like a port scan.

There are 65536 distinct and usable port numbers. (ibid.)

FYI: The TCP and UDP port 32768 is registered and used by IBM FileNet TMS.