[Dshield] TCP/3389 (MS Terminal Services) Probes

Rick Klinge rick at jaray.net
Fri Mar 5 13:40:08 GMT 2004

> The Handler's Diary for March 3 mentions a traffic spike related to 
> TCP/3389 (MS Terminal Services) and suggests that the spike 
> may be due to 
> reporting bias. I have some reason to suspect otherwise.
> On each of four recent days (Feb. 4, 11, 22, and 23) one of 
> my class C 
> networks has been swept for services listening on TCP/3389. I 
> don't recall 
> other such sweeps within recent memory. My experience may be 
> idiosyncratic; 
> but, if not, the traffic spike is indeed indicative of 
> widespread activity, 
> rather than activity affecting one of more large DShield submitters.
> On a more generally note, I think it would be useful if the 
> DShield data 
> reported a count of the number of submitters reporting traffic on a 
> particular port. This would provide an indication of the 
> degree to which a 
> given change in traffic was widespread or merely 
> idiosyncratic to a few 
> submitters having large networks.
> Cheers,
> ---------------------------------------------------
> Bill McCarty

I agree with this very much.  I sit on two separate networks and have
noticed 3389 being swept.  


Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

More information about the list mailing list