Hello, welcome to the Monday, June 19th, 2017 edition of the Santernat Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm reporting from Minneapolis, Minnesota.

Lorna noticed on Friday an uptick in Port 83 scans.

Now, there isn't any obvious service assigned to port 83 we set up some honeypots on

port 83 and really got a variety of different packets some TCP packets that after

complete handshake we get something in binary, not obviously matching a particular

protocol, some HTTP over UDP, and then also some of the Universal Plug-in-Play.

Now, Universal Plug-Nplay does look like HTTP, but when I say HTTP traffic over UDP, that actually

was not universal plug-and-play.

Instead, it did look exactly like what you would expect for HTTP.

Now, a couple options here, the quick protocol that Google is using, it uses UDP and essentially does

HTTP over UDP, but it has its own special structure, so this does not look like quick.

Now according to Shodan, the most common server found on Port 83, happens to be HTTP, and well, it makes

out of sense that 83 is used as an alternative port for 80. The next in the list is FTP. Not sure

why people run FTP on Port 83, but sure, why not?

So if you got any insight, please share it with us.

There are samples in Lorna's diary about the traffic that she saw on Port 83.

And last week, FortyNet did release details about denial of service vulnerability in the WINS service after Microsoft stated that they will not fix this vulnerability.

All you have to do is establish three replication sessions with a WINS server and it will

essentially hang. Now the problem of course with WINS server and it will essentially hang.

Now the problem of course with WINS is that Microsoft has clearly labeled it as a legacy service.

You shouldn't really be running WINS.

...