[Dshield] TCP/3389 (MS Terminal Services) Probes

Rick Klinge rick at jaray.net
Fri Mar 5 13:40:08 GMT 2004


 
> The Handler's Diary for March 3 mentions a traffic spike related to 
> TCP/3389 (MS Terminal Services) and suggests that the spike 
> may be due to 
> reporting bias. I have some reason to suspect otherwise.
> 
> On each of four recent days (Feb. 4, 11, 22, and 23) one of 
> my class C 
> networks has been swept for services listening on TCP/3389. I 
> don't recall 
> other such sweeps within recent memory. My experience may be 
> idiosyncratic; 
> but, if not, the traffic spike is indeed indicative of 
> widespread activity, 
> rather than activity affecting one of more large DShield submitters.
> 
> On a more generally note, I think it would be useful if the 
> DShield data 
> reported a count of the number of submitters reporting traffic on a 
> particular port. This would provide an indication of the 
> degree to which a 
> given change in traffic was widespread or merely 
> idiosyncratic to a few 
> submitters having large networks.
> 
> Cheers,
> 
> ---------------------------------------------------
> Bill McCarty
> 

I agree with this very much.  I sit on two separate networks and have
noticed 3389 being swept.  


~Rick

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list