[Dshield] Possible problem?

Chris Buechler cbuechler at gmail.com
Wed Mar 9 23:36:02 GMT 2005

On Mon, 7 Mar 2005 15:18:01 -0500, Paul Marsh <pmarsh at nmefdn.org> wrote:
> I did a nmap scan on one of my users home systems.  Its a typical
> broadband connection default TCP scan revealed port 21, 25 and 80 open.
> In the past I've found that these ports belong to the broadband modem.
> I then did a -sU default UDP and found the following:
> 135/udp  filtered msrpc
> 136/udp  filtered profile
> 138/udp  filtered netbios-dgm
> 1434/udp filtered ms-sql-m

nmap reporting filtered on ports to typical broadband accounts has
usually meant, in my experience, the ISP is filtering the ports before
the traffic gets to the user.  That it's showing filtered UDP but no
TCP ports is a bit out of the ordinary.

For example, scanning a cable modem IP with a firewall that will
silently drop all traffic, I get the following results:

111/tcp   filtered rpcbind
135/tcp   filtered msrpc
136/tcp   filtered profile
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
512/tcp   filtered exec
513/tcp   filtered login
514/tcp   filtered shell
515/tcp   filtered printer
593/tcp   filtered http-rpc-epmap
1080/tcp  filtered socks
1433/tcp  filtered ms-sql-s
1434/tcp  filtered ms-sql-m
17300/tcp filtered kuang2

On UDP, nmap shows open|filtered on this same host because it's hard
to tell the difference (google on it, you'll find info).  They
definitely aren't open.

53/udp   open|filtered domain
67/udp   open|filtered dhcpserver
68/udp   open|filtered dhcpclient
69/udp   open|filtered tftp
111/udp  open|filtered rpcbind
135/udp  open|filtered msrpc
136/udp  open|filtered profile
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
139/udp  open|filtered netbios-ssn
161/udp  open|filtered snmp
177/udp  open|filtered xdmcp
445/udp  open|filtered microsoft-ds
500/udp  open|filtered isakmp
514/udp  open|filtered syslog
520/udp  open|filtered route
593/udp  open|filtered http-rpc-epmap
1080/udp open|filtered socks
1433/udp open|filtered ms-sql-s
1434/udp open|filtered ms-sql-m

I've found this isn't uncommon at all.  This filtering is applied by
the ISP in question on inbound traffic to client networks only.

Firewall logs and tcpdump further prove the traffic never got to the
outside of the firewall.

My point, it's almost certainly from the ISP, filtering the inbound
traffic.  A sniffer on a separate system would be a good way to


More information about the list mailing list