[Dshield] Ten-fold increase in NetBIOS scans

Bill McCarty bmccarty at pt-net.net
Fri Feb 6 09:12:48 GMT 2004


Hi all,

Today, one of my networks having about 70 active hosts saw 9915 NetBIOS 
probes having source and destination port 137, from 86 source IPs. At 
intervals of about one second, each source sent a series of three or more 
probes--I've seen series including as many as twenty-one probes--to each 
target IP.

Yesterday, I saw only 1622 NetBIOS scans having source and destination port 
137, a traffic volume more typical of recent history. All of yesterday's 
scans originated from a single source IP. Thus the one-day increase in 
traffic volume is almost 10x. And, the one-day increase in sources is 
almost 100x.

I notice that the DShield data at 
<http://isc.sans.org/port_details.html?port=137&repax=1&tarax=2&srcax=1&per
cent=N&days=70&Redraw=> shows a 1.5-2x surge in port 137 traffic beginning 
about Jan. 6. So, others are apparently seeing increased NetBIOS traffic 
volumes. I don't recall reading comments on the increase about the time it 
first occurred. Did I miss them? And, does anyone have any idea concerning 
the cause of the increase?

Cheers,

---------------------------------------------------
Bill McCarty




More information about the list mailing list