[Dshield] Massive port 135 upswing?

Joe Stewart jstewart at lurhq.com
Tue Jun 15 18:04:43 GMT 2004


On Tuesday 15 June 2004 1:15 pm, Nels Lindquist wrote:
> I have a few unused IPs currently, so I allowed them through to be
> tarpitted by a LaBrea host.  I set up snort on the internal interface
> to try and get a look at this traffic, but there's not much of
> relevance.  Now that I think about it, though, LaBrea wouldn't let
> the TCP handshake complete anyway, right?  

It will let the TCP handshake complete, but the TCP window size is 
throttled down so low that even if the remote host begins to send data 
you won't be able to see enough bytes in the packet to understand 
what's it's trying to do. And since that first PSH will never be 
ACK'ed, you'll just see TCP retries of the same truncated data until it 
times out.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/



More information about the list mailing list