[Dshield] DNS traffic?

Wilfred A. Smith wilfred at esprit-omnimedia.com
Wed Aug 27 03:26:43 GMT 2003


Hey, that's the same IP that I'm getting plastered with (in this
particular case).  Can't someone just get in touch with the ISP and
insist that this user quit it or get off the 'Net?  

He taps me once every hour, it seems.  Both ports get discarded, but
it's utterly disturbing how much hostile traffic I'm finding on the
'Net.  In my case, legitimate traffic is < 1/4 my total!

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of George Theall
Sent: Tuesday, August 26, 2003 10:12 AM
To: General DShield Discussion List
Subject: Re: [Dshield] DNS traffic?

On Tue, Aug 26, 2003 at 08:20:11AM -0700, Wilfred A. Smith wrote:

> Am I the only one seeing tons of hits on port 135 from remote port
666,
> followed by a hit to 1026?

I suspect these are related to Windows Messenger popups.  As ISPs have
begun blocking port 135, popup spam is increasingly targetting UDP port
1026.  See <http://www.lurhq.com/popup_spam.html>. 

The lion's share of the activity I see is from 64.156.39.12,
dialup-64.156.39.12.Dial1.Denver1.Level3.net.  This particular host
started hitting me in late July and has been continuing to do so several
times per day for each host I monitor. Now I tarpit it.

George
-- 
theall at tifaware.com




More information about the list mailing list