[Dshield] UDP:137 probes - picking up steam?

Daniel Gerald Kluge dkluge at acm.org
Thu Nov 7 11:00:40 GMT 2002

On Thursday, October 24, 2002, at 09:52  PM, David Kennedy CISSP wrote:

> At 11:24 AM 10/24/02 -0500, Brad Wyman wrote:
>> On Thu, 24 Oct 2002, John Sage wrote:
>>> Is the UDP:137 background noise picking up steam, or is it just
>>> me?
>> I noticed this as well, UDP:137 had gotten realy noisy over that
>> last few days. i normaly tune it out, but this has me curious
> Everyone with a perimeter router (DSL, wireless, cable too) should
> ACL 135-139, in & out, TCP & UDP and go for coffee during the time
> they'd otherwise be reading log entries on these ports.  None of my
> DShield submissions include these ports.

So, you say one should just ignore it, and live with the elevated noise?

Currently the 137 traffic seems to beat everything else by at least an 
order of magnitude. On my DSL line, I have normally under 10 events per 
day, currently (thanks to UDP 137 traffic) it's never under 100, 
topping out at over 350 a day. This means that (from my perspective at 
least) we now have a ten times higher background noise.

So the next generation IDS will include similar magic as radio scanners 
do that have to find Spread Spectrum (DSS) emissions, since they will 
have the same job: Find emissions whose signal strength is below the 
background noise level.


More information about the list mailing list