[Dshield] UDP:137 probes - picking up steam?

John Sage jsage at finchhaven.com
Fri Nov 8 07:14:47 GMT 2002


On Thu, Nov 07, 2002 at 03:00:40AM -0800, Daniel Gerald Kluge wrote:
> On Thursday, October 24, 2002, at 09:52  PM, David Kennedy CISSP wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > At 11:24 AM 10/24/02 -0500, Brad Wyman wrote:
> >>
> >> On Thu, 24 Oct 2002, John Sage wrote:
> >>
> >>> Is the UDP:137 background noise picking up steam, or is it just
> >>> me?
> >>>
> >>
> >> I noticed this as well, UDP:137 had gotten realy noisy over that
> >> last few days. i normaly tune it out, but this has me curious
> >>
> >
> > Everyone with a perimeter router (DSL, wireless, cable too) should
> > ACL 135-139, in & out, TCP & UDP and go for coffee during the time
> > they'd otherwise be reading log entries on these ports.  None of my
> > DShield submissions include these ports.
> >
> 
> So, you say one should just ignore it, and live with the elevated noise?

I think the important point is that it's real hard to know what to
*do* about this latest form of background noise...

In the last 72 hours, on my dialup at home, I've had 1399 UDP:137
probes from 1314 different source IP's.

The vast majority, when I was bothering to do host name lookups, are
DSL- or cable-based, or from Korea or Taiwan, or both.

The chances of sucessfully notifying anyone, and getting these
infected machines taken off-line let alone fixed, is probably slightly
less than zero...

That's why the best advice may just be to drop the traffic, and
otherwise ignore it.



- John
-- 
Forest: a collection of trees

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list