[Dshield] PORT 22321

Mike Wisener mwisener at lurhq.com
Wed Oct 1 14:16:34 GMT 2003


The graph seems to be a big misleading. If you look at the actual numbers in 
the data you see that on 9-11 there were 18368 sources, and 6 targets. If a 
firewall is configured for default allow outbound, then the file sharing 
application communicates successfully to the many remote peers. When the 
remote peers try to respond, they get dropped at the firewall. Therefore you 
have lots of sources to only a few destinations. All these records are 
submitted to dshield and you see a spike in the graph.

Also if you look up port 7674, you see a similar increase on 9-11.


- Mike

Mike Wisener, GCIA
Senior Information Security Analyst
LURHQ Corporation
mwisener at lurhq.com

> Thanks, interesting paper.
> But doesn't seem to explain the nature of the peaks in the dshield
>  graph for this port. Although the server is in Korea I can't see why
>  music server software would hit Dshield ports in such a regular
>  fashion unless it is a deliberate feature of the software.
> What time series analysis is done on the DSHIELD data? Obviously some
> sort of trend analysis to note ups and downs per port, but has anyone
> done any more detailed analysis to look for other features? Can I get
> timeseries of port 22321 going further back in time? Raw data?
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
>  http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list