Q

My firewall keeps reporting intrusion attempts described as "DCE endpoint resolution." What's going

My firewall keeps reporting intrusion attempts described as "DCE endpoint resolution." What's going on? The intrusion...

even seems to be coming from my own ISP on TCP port 135!

Port 135 is registered as "epmap - DCE endpoint resolution" and can be enumerated by connecting on port 135 and doing the appropriate queries. Mostly used by Microsoft for RPC locator service, it can be used to lookup what ports other services are running on Distributed Computing Environment (DCE) services on the remote host. An attacker may use this fact to gain more knowledge about the remote host. Trojans are a common example that exploits this vulnerability.

The solution: filter incoming traffic to this port. If possible, this port should NOT be opened except in certain circumstances where you are protected by another firewall (e.g. in a corporate DMZ situation).

This was last published in January 2005

Dig Deeper on Network Security Monitoring and Analysis

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close