[Dshield] UDP:137 probes - picking up steam?
Daniel Gerald Kluge
dkluge at acm.org
Thu Nov 7 11:00:40 GMT 2002
On Thursday, October 24, 2002, at 09:52 PM, David Kennedy CISSP wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> At 11:24 AM 10/24/02 -0500, Brad Wyman wrote:
>> On Thu, 24 Oct 2002, John Sage wrote:
>>> Is the UDP:137 background noise picking up steam, or is it just
>> I noticed this as well, UDP:137 had gotten realy noisy over that
>> last few days. i normaly tune it out, but this has me curious
> Everyone with a perimeter router (DSL, wireless, cable too) should
> ACL 135-139, in & out, TCP & UDP and go for coffee during the time
> they'd otherwise be reading log entries on these ports. None of my
> DShield submissions include these ports.
So, you say one should just ignore it, and live with the elevated noise?
Currently the 137 traffic seems to beat everything else by at least an
order of magnitude. On my DSL line, I have normally under 10 events per
day, currently (thanks to UDP 137 traffic) it's never under 100,
topping out at over 350 a day. This means that (from my perspective at
least) we now have a ten times higher background noise.
So the next generation IDS will include similar magic as radio scanners
do that have to find Spread Spectrum (DSS) emissions, since they will
have the same job: Find emissions whose signal strength is below the
background noise level.
More information about the list