Port 5500 - alot of traffic (that is of course denied)

[lar.hed]

Just since I am a bit curious: Anyone know why "people" seems to think that port 5500 (udp) with different source and/or desination IPs is funny to run all the time? Someone in the Netherlands just keeps sending this to my static IP - goes in bursts - and well it is denied, so no biggi there (I have no open ports at all, only traffix from my network out so to speak). But why? Any ideas?

[MTR]

https://www.speedguide.net/port.php?port=5500

I guess they are trying to find vulnerable VNC/DualDesk setups.

[lar.hed]

This is a never ending thing, I still have a heck of alot of traffic trying to get over UDP port 5500 - yes it is still denied of course. But I am intrigued by the fact that who ever is doing this keeps doing it all the time. Currently I have a 100% blocking just because of this...

[marjohn56]

Contact the ISP of the offending address, no guarantee they will do anything but in my experience an email to abuse@whicheverisp.com sometimes gets results. I had a case where when I changed ISPs one of my static IP addresses was previously allocated to someone else, they had a device the was constantly trying to open a VPN connection. I contacted my ISP who was able to contact them and a couple of days later it stopped.

[lar.hed]

I've sent an email to abuse Telenor (Sweden and Norway funny enough), to look into IPs:

62.127.113.21
62.127.113.39

93.91.111.2
93.91.111.6
93.91.111.10
93.91.111.14
93.91.111.26

The thing I do not get is that my static IP is not the one that I see in the "transactions", like this one:
2020-07-21T08:13:30   11,,,0,igb1,match,block,in,4,0x80,,22,13957,0,DF,17,udp,1356,93.91.111.6,233.184.48.150,5500,5500,1336

[lar.hed]

I decided to create a floating rule just to a) get a counter of how many per day, and b) remove the lines from the log....

I get about +120.000 requests from who-ever-is-doing-this...