[Dshield] Massive port 135 upswing?

Stephane Grobety security at admin.fulgan.com
Tue Jun 15 08:38:19 GMT 2004


NL> Anyone else seeing a massive increase in port 135 hits?  Our firewall
NL> is currently seeing 35% CPU utilization from syslogd just keeping up 
NL> with dropped packets; the last hourly DShield submission bounced from 
NL> the submission queue due to size throttling on the MTA.

I just checked my logs and, no: I don't see any notable increase in
port TCP 135 hits: just your usual worm plus a few misconfigured
machines.

NL> Looks like worm traffic--loads of different IP addresses from all 
NL> over the place, all hitting TCP port 135.  If it's *not* worm 
NL> traffic, could it be a DDOS attack?

Possible, but very unlikely IMNSHO. To get a better idea, try to answer
these questions:

1/ Are they trying to connect to all internal machines at random or
a (few) specific ones ?
2/ If you let a connection through, does it complete or is it just a
SYN packet (is it spoofed ?)
3/ Are the source IP always different or do you have a reduced number
of attacker (might be 100 machines, but you see the same IPs appearing
in the log all over the place).
4/ What's the TTL on all these packets ? Are they the same ?

DDoS do usually not use TCP 135 as it's easy to filter and you don't
need it for the typical Internet traffic.

if you're seeing such a large number of hits, I would investigate the
following possibilities:

1/ It's a missconfigured network: someone FUBARed the DHCP config of
some large network and machines are trying to contact a ghost WINS
server with your IP (just an example).
2/ Someone in your IP neighborhood just removed a filter on TCP 135 on
a network of home users (your ISP, maybe). You're just seeing the
noise that was filtered before.
3/ Someone is scanning your network for machine to turn into Zombie
and he's doing it from a botnet. I think this is unlikely because they
would be testing for other vulnerabilities as well.
4/ Someone is scanning your network in preparation of an attack. in
order to find machine responding to 135, they are using a port scanner
that will try to mask the real scanner IP by sending a lot of spoofed
packets at the same time: this way, you can't know what IP the
attacker uses.

Good luck,
Stephane




More information about the list mailing list