>>Don’t understand you post.
Lol. Google "Routing", "Networking" etc..

Anyway, know ye of UPNP? Know you what ADB even is? Some people may, for example, port-forward everything to one host, for easyness, or just use the modem, or just exploring. eg DVR/STB/fridges/etc/phones..!
Google debug-mode "TVs"..

I'm having hundreds of 5555 connection attempts here ("CNXN
")'s, which just feeds something I use to block the strays. 1433 (ssql) is a particularly prevelent probe too I think the network could do without

So imagine along the chain, at layer3/4 there are rules (look that up!)... One such could be "no 5555 traffic".. It'll save a lot of future hassle I am sure... 

Just sayin!! 😄 x 2^10
NEAL

"Some people may, for example, port-forward everything to one host, for easyness,"

90%+ of people using VM as their ISP do not use let alone understand Port Forwarding. I would have thought it madness to port forward all ports to one host, far better to handle them in your routers firewall. 

>>90%+ of people using VM as their ISP do not use let alone understand Port Forwarding.
I'd like to see statistics for that, or is that a guess? Not understanding can lead to (as I'm sure you have had) overconfidence and then mistakes.!
VM don't just do homes either do they?
I'm pretty sure 137/139/445 are filtered aren't they.

>>I would have thought it madness to port forward all ports to one host,   ??  Can you not imagine one or millions of scenario where that might occur?

>> far better to handle them in your routers firewall.    ??   Far better to block network wide?? 
Oh I'm doing a lot more than that..! It's better to understand what's going on at packet level in the world, look at what is in those packets and try them out (locally!) 

There's thousands of compromised machines sending thousands of ADB connection attempt. If I'm getting them then the whole network is probably I imagine.!

Remember Terminator started somewhere, probably Risk-V!!! And Solarwinds-Certs, rofl. What mistakes to make

🙂    just sayin!! :
NEAL

Current unique IP Address data from Shadowserver for the Northern Europe region would suggest that such a block is maybe unwarranted at present:

-- 
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer and solved, or use  Kudos to say thanks

Great info thanks!!! 🙂   That's the kinda stats I want to see.!!!   Remember one of those numbers is just my trap here.. Counting around the 250 connections today. (dwarfing the 1433 sql's fair enough)

Even one open number can be too many.. What if there was a compromised vacuum-cleaner-robot, doing the job at an important government place..
Like at those parties last year and it all turned out to be the the ***** secret services gathering infomation, because Boris had setup the wifi with "BigDog" as the password??!

But still, UPNP, especially with the HUB5 problem.!!   I'm getting a new modem in the post unexplainably, is that why?   
Imagine I wrote a bit of code that setup UPNP forwarding on 5555 to the device running it (iot/risc/etc).. And the device code was written by students (like Whahei)

Now is often OK, but the future is marching closer.!
Similar to the world in 2019... " what could go wrong with the status-quo?".!?

Cheers

This is the levels at the user end.. 
The blue ones are 5555, probably infected machines.. They get logged and scraped and blocked.. Certain countries get blocked at the 16bit-subnet level especially during the war..

I've noticed a lot of these coming out of eg Kyiv, Lviv and more, most likely VPNs that geolocate there.. Some form of false-flagging...
Even better to kill off 1433 as well, who needs SQL on a raw public network?

🙂Nice on @Alesandro, I respect your opinion especially after these years... But,

>> blocking ports yes 137-138,135,139 and 445 do need to blocked

Why these, and not "some others"... I'd have gone for the SQL ports a long time ago there's a lot of packages install SQL variants as their engine, as you know.. All sorts of financial systems and stuff

Assuming that these attacks are coming in from somewhere already compromised, just keep an eye out eh As someone who defaced Derby-County's website long in the past just from learning what was going on in the public-network echospaces..

Public-facing LM/DS-Networking, or Android-root-shell, like trying to decide which you like the most, Fred or Rosemary (West)!

I imagine there's a way to persuade someone to install a "hack into other people's kit" APP going round that needs root, that is specially crafted to open 5555 up..

Nice to chat again Alessandro!
NEAL