Many questionable Russian sites do full port scans not only on localhost but on all the private subnets. I had to block all access to ports above 1024 for all local subnets. Usually people don't have firewall rules for that.