[Dshield] Massive port 135 upswing?
nlindq at maei.ca
Tue Jun 15 17:15:04 GMT 2004
On 15 Jun 2004 at 10:38, Stephane Grobety wrote:
> Possible, but very unlikely IMNSHO. To get a better idea, try to answer
> these questions:
> 1/ Are they trying to connect to all internal machines at random or
> a (few) specific ones ?
Seems to be all. Not that we have a very large netblock, and it's
all contiguous, so it might be difficult to differentiate between the
> 2/ If you let a connection through, does it complete or is it just a
> SYN packet (is it spoofed ?)
I have a few unused IPs currently, so I allowed them through to be
tarpitted by a LaBrea host. I set up snort on the internal interface
to try and get a look at this traffic, but there's not much of
relevance. Now that I think about it, though, LaBrea wouldn't let
the TCP handshake complete anyway, right? That's how it accomplishes
its "teergrubbing". I actually need a port 135 listener of some
sort, I guess...
> 3/ Are the source IP always different or do you have a reduced number
> of attacker (might be 100 machines, but you see the same IPs appearing
> in the log all over the place).
There are nearly 3000 attackers with a variety of netblocks from
4.x.x.x to 221.x.x.x.
> 4/ What's the TTL on all these packets ? Are they the same ?
Nope, they vary.
> DDoS do usually not use TCP 135 as it's easy to filter and you don't
> need it for the typical Internet traffic.
> if you're seeing such a large number of hits, I would investigate the
> following possibilities:
> 1/ It's a missconfigured network: someone FUBARed the DHCP config of
> some large network and machines are trying to contact a ghost WINS
> server with your IP (just an example).
> 2/ Someone in your IP neighborhood just removed a filter on TCP 135 on
> a network of home users (your ISP, maybe). You're just seeing the
> noise that was filtered before.
> 3/ Someone is scanning your network for machine to turn into Zombie
> and he's doing it from a botnet. I think this is unlikely because they
> would be testing for other vulnerabilities as well.
> 4/ Someone is scanning your network in preparation of an attack. in
> order to find machine responding to 135, they are using a port scanner
> that will try to mask the real scanner IP by sending a lot of spoofed
> packets at the same time: this way, you can't know what IP the
> attacker uses.
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the list