[Dshield] Port 1026
bmccarty at pt-net.net
Sun Jan 4 04:01:41 GMT 2004
Notice on the 10-day Port Report how the port 1026 spike
x=2&percent=N&days=10&Redraw=>) has subsided and a new spike has presented
on port 1028
x=2&percent=N&days=10&Redraw=>). On my class C, I've seen no port 1026
traffic today; however I've seen 33 packets on port 1028. Each of the 33
packets has been associated with pop-up spam related to PlayersEdge.us.
So, it appears to me that yesterday's spikes on port 1026 and today's on
port 1028 are both likely associated with the PlayersEdge pop-up spam.
None of the 32 discrete source hosts targeting port 1026 are among the 33
discrete source hosts targeting port 1028. And, I've seen no port 1027
traffic. So, the pop-up sources appear to be centrally controlled. The
source domains are a who's who of prominent organizations (e.g., Bank of
America, DOD, IANA, IBM). Therefore, I strongly suspect that the source IP
addresses are spoofed. Each port-1028 source has a distinct TTL, ranging
from 99 to 223. The TTLs of the port-1026 sources are similar, but not
identical. In particular, the median TTL of port-1026 sources is 160,
whereas that of port-1028 sources is 180. So, I suspect that the initial
TTLs are crafted to disguise the location of the sources.
Alternatively, there may exist two more or less disjoint sets of hosts, one
associated with the port 1026 traffic and the other associated with the
port 1028 traffic. These sets are relatively remote in terms of their
Internet locations. Thus, traffic from one set has a median TTL lower than
that from the other set. However, I prefer the notion that the TTLs are
crafted, as this seems to me to be the simpler explanation for the
variation in TTLs.
Does anyone else have captures of this traffic? I'm interested in trying to
triangulate the TTLs with a view to determining the location(s) of the
More information about the list