[Dshield] Massive port 135 upswing?

Nels Lindquist nlindq at maei.ca
Tue Jun 15 16:14:26 GMT 2004


On 15 Jun 2004 at 2:00, Slade Edmonds wrote:

> Frank Knobbe wrote:

<snip>

> >Without analysis of the payload (perhaps by comparing hashes of the data
> >section of the packet) one can not make conclusive statements about the
> >packet itself.
> 
> Snort sigs are not too bad at this.  If you are like most folks out 
> there doing packet analysis on TCP 135 you will probably roll your eyes 
> and curse MS under your breath before you commence.

I have implemented snort but I'm not seeing any relevant signatures 
triggered...?

> Let me re-phrase.  I used to be concerned / curious about TCP port 135 
> traffic patterns.   I was seeing so-called 'surges' on a weekly or even 
> daily basis.  

I too have seen lots of port 135 surges, but we're talking an order 
of magnitude increase, here.  That's a little more than a surge IMO. 
:-)

> If that traffic is giving you grief, and it sounds like it 
> is, consider dropping it before it has a chance to get at your 
> firewall.  Works for me and plenty others.  Given the nature of this 
> list, I think there is no harm in offering some advice.

No worries. :-)  We're talking a single DSL connection, though--we 
don't have control over the ISP's router, and by the time it gets to 
our router/firewall the bandwidth is already spent.

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.




More information about the list mailing list