[Dshield] Massive port 135 upswing?
nlindq at maei.ca
Tue Jun 15 16:14:26 GMT 2004
On 15 Jun 2004 at 2:00, Slade Edmonds wrote:
> Frank Knobbe wrote:
> >Without analysis of the payload (perhaps by comparing hashes of the data
> >section of the packet) one can not make conclusive statements about the
> >packet itself.
> Snort sigs are not too bad at this. If you are like most folks out
> there doing packet analysis on TCP 135 you will probably roll your eyes
> and curse MS under your breath before you commence.
I have implemented snort but I'm not seeing any relevant signatures
> Let me re-phrase. I used to be concerned / curious about TCP port 135
> traffic patterns. I was seeing so-called 'surges' on a weekly or even
> daily basis.
I too have seen lots of port 135 surges, but we're talking an order
of magnitude increase, here. That's a little more than a surge IMO.
> If that traffic is giving you grief, and it sounds like it
> is, consider dropping it before it has a chance to get at your
> firewall. Works for me and plenty others. Given the nature of this
> list, I think there is no harm in offering some advice.
No worries. :-) We're talking a single DSL connection, though--we
don't have control over the ISP's router, and by the time it gets to
our router/firewall the bandwidth is already spent.
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the list