[Dshield] Massive port 135 upswing?

Slade Edmonds slade at cryptoflow.net
Mon Jun 14 19:58:11 GMT 2004


Nels Lindquist wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Okay, something's going on.
>
>Anyone else seeing a massive increase in port 135 hits?  Our firewall 
>is currently seeing 35% CPU utilization from syslogd just keeping up 
>with dropped packets; the last hourly DShield submission bounced from 
>the submission queue due to size throttling on the MTA.
>
>Looks like worm traffic--loads of different IP addresses from all 
>over the place, all hitting TCP port 135.  If it's *not* worm 
>traffic, could it be a DDOS attack?
>
>- ----
>Nels Lindquist <*>
>Information Systems Manager
>Morningstar Air Express Inc.
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (MingW32)
>
>iD8DBQFAzfUsbxRqvNchgLQRAkFEAKCWdCs1tweB7wfIG1jhFfXCfOijjACg2BOt
>j7DjPdD/sKLQvrk5gDumScs=
>=iJSO
>-----END PGP SIGNATURE-----
>_______________________________________
>
Where's your border router?  Not sure how others approach this, but I'd 
never let it reach the firewall in the first place.  Assuming you have 
equipment to handle that of course.  I drop mess like this at the perimeter.

Slade




More information about the list mailing list