Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DShield analysis - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DShield analysis

analysing the DShield.log there were two topics I couldn't find information:

- TTL: the default is 64, but nearly all scanner use TTL around 250, and the "attackers" (trying login) use TTL around 250

- Source port: default for Linux is above 32,000, but there are a number of scans with source port below

It seems most of the scans are using nmap (windows-size=1024), but my checks did not confirm any unusual TTL or source ports.

Does the specific TTL and source port reveal anything about the scanners?


Sign Up for Free or Log In to start participating in the conversation!