Inbound requests after opening Electrum
A few days ago, I was exploring Electrum (Android) out of curiosity. A few moments later, I get notified by our firewall that it flagged several suspicious inbound requests. The source IPs came from various countries, all of which use port 50002. The destination was my phone, at seemingly random ports. I disconnected my phone from the internet, and the requests would stop. They’d start again if I connected and used Electrum.
Initially, I thought Electrum was P2P and was doing peer discovery, which would conveniently explain why a machine over the internet would attempt to talk to my machine. But reading ElectrumX’s docs and several other online resources, Electrum is a client-server setup — wallets talk to servers. The only P2P component I see is when servers talk to other servers to find other servers or advertise their presence to other servers. But this would not explain the inbound connection to my machine.
So what’s going on? Is this normal behavior? Is the wallet also a "peer"? Or is this some malicious attempt to break in? Everyone coming from port 50002 and Electrum servers using port 50002 is probably not coincidence though. Thoughts? Did I miss some detail in the docs?
Article source: “https://bitcoin.stackexchange.com/questions/80444/inbound-requests-after-opening-electrum”