[Dshield] Spammers discover the SQL Slammer concepts works -UDP 1026 spam traffic up

Blake McNeill mcneillb at linklogger.com
Tue Sep 16 12:11:51 GMT 2003


When Messenger Service spam is sent via a Net Send method for example, a
number of ports and additional traffic are involved before the message can
be delivered (for example UDP ports 135, 137 and likely a port above 1023 ie
the services port), which reduces the delivery rate of the spam message.
However the new method only requires only a single port hit (the port where
Services.exe is listening) and no additional traffic or ports.  Combine this
with a single UDP packet and you have SQL Slammer performance for sending
out spam.

Blake
http://www.SonicLogger.com - Logging Software for SonicWall
http://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel


From: "Johannes Ullrich" <jullrich at euclidian.com>
>
> Popup spam always used UDP. However, so far it used port 135. However,
> after MS Blaster, a lot of ISPs blocked port 135. As a result, the
> spam is now sent over the higher port 1026, which works as well.
>




More information about the list mailing list