[Dshield] UDP:137 probes - picking up steam?
jsage at finchhaven.com
Fri Nov 8 07:14:47 GMT 2002
On Thu, Nov 07, 2002 at 03:00:40AM -0800, Daniel Gerald Kluge wrote:
> On Thursday, October 24, 2002, at 09:52 PM, David Kennedy CISSP wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > At 11:24 AM 10/24/02 -0500, Brad Wyman wrote:
> >> On Thu, 24 Oct 2002, John Sage wrote:
> >>> Is the UDP:137 background noise picking up steam, or is it just
> >>> me?
> >> I noticed this as well, UDP:137 had gotten realy noisy over that
> >> last few days. i normaly tune it out, but this has me curious
> > Everyone with a perimeter router (DSL, wireless, cable too) should
> > ACL 135-139, in & out, TCP & UDP and go for coffee during the time
> > they'd otherwise be reading log entries on these ports. None of my
> > DShield submissions include these ports.
> So, you say one should just ignore it, and live with the elevated noise?
I think the important point is that it's real hard to know what to
*do* about this latest form of background noise...
In the last 72 hours, on my dialup at home, I've had 1399 UDP:137
probes from 1314 different source IP's.
The vast majority, when I was bothering to do host name lookups, are
DSL- or cable-based, or from Korea or Taiwan, or both.
The chances of sucessfully notifying anyone, and getting these
infected machines taken off-line let alone fixed, is probably slightly
less than zero...
That's why the best advice may just be to drop the traffic, and
otherwise ignore it.
Forest: a collection of trees
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
More information about the list