Port 1434: Sudden Slammer Decline?
We're interested to know what's happening out there. It has been observed through DShield data that Slammer traffic has had a sudden decline. I played with the data for a while. I could make it look like many things, such as slow and steady decline over time. However, the most compelling story is the one where the data drops on March 9 and 10.
Below is the DShield data and graph on port 1434 for March 2011. It's speculative at this point as to the cause of the sudden drop. Japan's earthquake or Patch Tuesday have been kicked around. I would be remiss if I did not mention Kevin Liston's series on Slammer Cleanup during October. We are loving the thought his great effort was a catalyst for the eradication of it.
So go back and take a look at your data for us and share what you're seeing. Send us your thoughts on this.
# portascii.html # Start Date: 2011-03-01 # End Date: 2011-03-21 # Port: 1434 # created: Mon, 21 Mar 2011 10:15:34 +0000 # Date in GMT. YYYY-MM-DD format. date records targets sources tcpratio 2011-03-01 42862 37215 129 0 2011-03-02 62157 50028 158 0 2011-03-03 46789 37745 140 0 2011-03-04 37634 32068 109 0 2011-03-05 62649 50868 121 0 2011-03-06 62221 49475 149 0 2011-03-07 44110 39895 144 0 2011-03-08 60921 46609 140 0 2011-03-09 38503 32512 151 0 2011-03-10 23459 19438 106 0 2011-03-11 1411 1282 49 1 2011-03-12 1740 1702 30 0 2011-03-13 1414 1384 30 1 2011-03-14 1151 944 33 0 2011-03-15 1256 883 50 2 2011-03-16 1021 667 52 4 2011-03-17 1542 599 48 2 2011-03-18 978 515 37 8 2011-03-19 794 639 33 3 2011-03-20 766 635 34 3 2011-03-21 533 435 16 1 # (c) SANS Inst. / DShield. some rights reserved. # Creative Commons ShareAlike License 2.5 # http://creativecommons.org/licenses/by-nc-sa/2.5/ |
--
Kevin Shortt
ISC Handler on Duty
https://www.sans.edu
