[Dshield] TCP/3389 (MS Terminal Services) Probes

Bill McCarty bmccarty at pt-net.net
Fri Mar 5 07:09:43 GMT 2004

Hi all,

The Handler's Diary for March 3 mentions a traffic spike related to 
TCP/3389 (MS Terminal Services) and suggests that the spike may be due to 
reporting bias. I have some reason to suspect otherwise.

On each of four recent days (Feb. 4, 11, 22, and 23) one of my class C 
networks has been swept for services listening on TCP/3389. I don't recall 
other such sweeps within recent memory. My experience may be idiosyncratic; 
but, if not, the traffic spike is indeed indicative of widespread activity, 
rather than activity affecting one of more large DShield submitters.

On a more generally note, I think it would be useful if the DShield data 
reported a count of the number of submitters reporting traffic on a 
particular port. This would provide an indication of the degree to which a 
given change in traffic was widespread or merely idiosyncratic to a few 
submitters having large networks.


Bill McCarty

More information about the list mailing list