[Dshield] Port 23 activity spike

Bill McCarty bmccarty at pt-net.net
Wed Jan 7 03:25:04 GMT 2004

Hi all,

--On Tuesday, January 06, 2004 5:07 PM -0500 "Johannes B. Ullrich" 
<jullrich at sans.org> wrote:

> So interestingly, the increse in scans can be attributed to one
> source, but its a different source each day.

> So we got kind of a one-to-one relationship between the number of
> reports send for port 23 by the largest submitter, compared to the
> most notorious target.

Thanks, Johannes, for the enlightening analysis!

One of the key questions that always interests me is the extent to which 
unusual activity on my network is part of a general Internet-wide trend, or 
merely peculiar to my network. I presume that this question is also of 
interest to others.

Johannes's analysis draws on data that we outside SANS can't currently 
access via the publicly available DShield reports. I encourage work that 
would provide the community with tools that would enable us to perform 
similar analyses. That'd be way cool <g>.


Bill McCarty

More information about the list mailing list