[Dshield] RE: Recent jump in Port 135 Targets in DShield Data

Ed Truitt ed.truitt at etee2k.net
Tue Sep 23 12:39:35 GMT 2003

David Mehl wrote:

>Looking again at DShield's Port 135 Port Report, something is really up. Follow the link to:
>Notice that the number of Reports is holding in the 11 to 12 Million range while the number of sources steady around 170 to 200 thousand. Before Yesterday the number of targets ranges of 200 to 300 thousand. Yesterday we had 875 thousand targets scanned, a five fold increase, and more than we saw at the peak of Blaster. And we are on track to have over a million targets scanned today. 
>The scanning methods have changed. The same old addresses are pumping out aboput as many packets, but they are hitting far more targets. Something is afoot.
I am not sure they are the "same old addresses", there is the distinct 
possibility that new attackers are coming online at about the same rate 
that Blasters are being disinfected.  However, I noticed that we DID hit 
a million targets for 135 probes yesterday, even though the activity on 
my own tarpit is at about the same level as before, and almost all of 
the 135 probes appear to be coming from the same /8 netblock (216) that 
I am on.

I can try to capture some sample packets, and see if there is something 
new.  Of course, if someone more versed in this than I can or has done 
so, it would be much easier and faster.

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

More information about the list mailing list