[Dshield] Massive port 135 upswing?

Nels Lindquist nlindq at maei.ca
Tue Jun 15 17:15:04 GMT 2004

On 15 Jun 2004 at 10:38, Stephane Grobety wrote:


> Possible, but very unlikely IMNSHO. To get a better idea, try to answer
> these questions:
> 1/ Are they trying to connect to all internal machines at random or
> a (few) specific ones ?

Seems to be all.  Not that we have a very large netblock, and it's 
all contiguous, so it might be difficult to differentiate between the 
two cases.

> 2/ If you let a connection through, does it complete or is it just a
> SYN packet (is it spoofed ?)

I have a few unused IPs currently, so I allowed them through to be 
tarpitted by a LaBrea host.  I set up snort on the internal interface 
to try and get a look at this traffic, but there's not much of 
relevance.  Now that I think about it, though, LaBrea wouldn't let 
the TCP handshake complete anyway, right?  That's how it accomplishes 
its "teergrubbing".  I actually need a port 135 listener of some 
sort, I guess...

> 3/ Are the source IP always different or do you have a reduced number
> of attacker (might be 100 machines, but you see the same IPs appearing
> in the log all over the place).

There are nearly 3000 attackers with a variety of netblocks from 
4.x.x.x to 221.x.x.x.

> 4/ What's the TTL on all these packets ? Are they the same ?

Nope, they vary.

> DDoS do usually not use TCP 135 as it's easy to filter and you don't
> need it for the typical Internet traffic.
> if you're seeing such a large number of hits, I would investigate the
> following possibilities:
> 1/ It's a missconfigured network: someone FUBARed the DHCP config of
> some large network and machines are trying to contact a ghost WINS
> server with your IP (just an example).
> 2/ Someone in your IP neighborhood just removed a filter on TCP 135 on
> a network of home users (your ISP, maybe). You're just seeing the
> noise that was filtered before.
> 3/ Someone is scanning your network for machine to turn into Zombie
> and he's doing it from a botnet. I think this is unlikely because they
> would be testing for other vulnerabilities as well.
> 4/ Someone is scanning your network in preparation of an attack. in
> order to find machine responding to 135, they are using a port scanner
> that will try to mask the real scanner IP by sending a lot of spoofed
> packets at the same time: this way, you can't know what IP the
> attacker uses.

Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.

More information about the list mailing list