Interesting
 

K, my server was lagging big time today, and when I looked at my snort logs there was a huge amount of access to my system from a source port below 1024. I know that ports 0 - 1024 are reserved, and therefore a system connecting to my system should be using a port above 1024, but what would it mean if they weren't. Most hits from a system below 1024 ports, is focused on my domain port. I have since blocked all access to any source originating on a port below 1024 but I was just curious what type of attack I might be dealing with, and why it makes a difference what port they originate the "call" on.

TIA
Mike.

It means the (human)scanner has got root access on the other box (if below 1024).
I'd say you could do worse than install Snort, it'll pick out the different exploits, IIRC the BIND exploit was used with Ramen and the likes.
Also look up the source addresses at SANS, could give some info if mass attacks are taking place.

Thanks for the reply, it's good to know. Sorry for the ignorance, but what is SANS?

Thanks.
Mike.

SANS(.org) is like CERT(.org) an organisation that provide security advisories, guidelines etc etc, btw SANS reroutes their info to incidents.org which has 24/7 coverage with OTF reporting by human security officers who track attacks etc.
The next best 2 sources (IMHO) are securityfocus.com and bugtraq (hosted at secfocus).