[Dshield] Port 1026

Bill McCarty bmccarty at pt-net.net
Sun Jan 4 04:01:41 GMT 2004

Hi all,

Notice on the 10-day Port Report how the port 1026 spike 
x=2&percent=N&days=10&Redraw=>) has subsided and a new spike has presented 
on port 1028 
x=2&percent=N&days=10&Redraw=>). On my class C, I've seen no port 1026 
traffic today; however I've seen 33 packets on port 1028. Each of the 33 
packets has been associated with pop-up spam related to PlayersEdge.us.
So, it appears to me that yesterday's spikes on port 1026 and today's on 
port 1028 are both likely associated with the PlayersEdge pop-up spam.

None of the 32 discrete source hosts targeting port 1026 are among the 33 
discrete source hosts targeting port 1028. And, I've seen no port 1027 
traffic. So, the pop-up sources appear to be centrally controlled. The 
source domains are a who's who of prominent organizations (e.g., Bank of 
America, DOD, IANA, IBM). Therefore, I strongly suspect that the source IP 
addresses are spoofed. Each port-1028 source has a distinct TTL, ranging 
from 99 to 223. The TTLs of the port-1026 sources are similar, but not 
identical. In particular, the median TTL of port-1026 sources is 160, 
whereas that of port-1028 sources is 180. So, I suspect that the initial 
TTLs are crafted to disguise the location of the sources.

Alternatively, there may exist two more or less disjoint sets of hosts, one 
associated with the port 1026 traffic and the other associated with the 
port 1028 traffic. These sets are relatively remote in terms of their 
Internet locations. Thus, traffic from one set has a median TTL lower than 
that from the other set. However, I prefer the notion that the TTLs are 
crafted, as this seems to me to be the simpler explanation for the 
variation in TTLs.

Does anyone else have captures of this traffic? I'm interested in trying to 
triangulate the TTLs with a view to determining the location(s) of the 
actual sources.

Bill McCarty

More information about the list mailing list