[Dshield] Where are they getting their information?

Johannes B. Ullrich jullrich at sans.org
Fri Jun 24 18:02:32 GMT 2005

> I would love to know where they are getting their information.  As
> stated in today's diary the last spike was back in May.   

The first mention about a port 445 spike came from DHS as far as I can
tell. However, they didn't specify any details as to the nature of this
spike, or how they detected it. As far as I can tell, others did read
this note (it was part of the daily DHS summary feed) and didn't want to
be left behind, so they echoed the announcement.

Just a note about port 445:

People that are not scanned of 445 are lucky enough to have their ISP
block it for them. It has been one of our top scanned ports for a long
time now. Occasionally, you will see local spikes on port 445, as much
of the scanning is performed by bots, which tend to focus on netblocks
believed to be vulnerable.

Now if you have a lesser sensor network, you may not know that you see a
spike because today its "scan a fed day" or because it is a new exploit.
In particular, you will not be able to distinguish the two if you just
look at packets blocked at firewalls (which are likely SYN packets
without payload).

In order to detect a significant spike on port 445 using firewall logs,
you need a truly great and diverse sensor network like DShield. ( ;-) ).
And I can state that we did not detect any significant change in port
445 scanning patterns.

Now there is a relatively new SMB vulnerability, and I would expect some
good exploits for it soon. We do see some target list collection efforts
between a vulnerability being announced and having an exploit widely
available. However, this activity is likely lost in the overall port 445
noise, and target lists for 445 already exist from prior exploits.

Anyway: Nothing to see here. If you left port 445 open, you are likely
already owned by someone using an older exploit, if you have port 445
closed, it shouldn't matter if a new exploit is used or not.

Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of
 security at our bank" Matt, Network Administrator.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050624/5b4f50ef/signature.bin

More information about the list mailing list