[Dshield] Ten-fold increase in NetBIOS scans

Lauro, John jlauro at umflint.edu
Fri Feb 6 13:40:11 GMT 2004


Here is the top DPT I am dropping in one minute (just now) for our
class B:
    223 DPT=137
    230 DPT=5000
    964 DPT=4444
   1590 DPT=80
   1958 DPT=445
   2411 DPT=135
   3684 DPT=3127
   3952 DPT=3128
   4111 DPT=1080
   4528 DPT=139

DTP=137 generated by:
      3 SRC=68.76.106.81
      7 SRC=141.157.12.151
      8 SRC=206.254.237.3
     40 SRC=65.66.85.222
    165 SRC=203.78.78.128

Total packets dropped/minute are running typical today, not sure about
distribution of ports.  Hmmm, checking stats for yesterday, dropped
packets was running triple normal.  I'll have to pull my argus logs to
see where that traffic was trying to go...  that will take longer to
process...




> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf
> Of Bill McCarty
> Sent: Friday, February 06, 2004 4:13 AM
> To: dshield
> Subject: [Dshield] Ten-fold increase in NetBIOS scans
> 
> Hi all,
> 
> Today, one of my networks having about 70 active hosts saw 9915
NetBIOS
> probes having source and destination port 137, from 86 source IPs.
At
> intervals of about one second, each source sent a series of three or
more
> probes--I've seen series including as many as twenty-one probes--to
each
> target IP.
> 
> Yesterday, I saw only 1622 NetBIOS scans having source and
destination
> port
> 137, a traffic volume more typical of recent history. All of
yesterday's
> scans originated from a single source IP. Thus the one-day increase
in
> traffic volume is almost 10x. And, the one-day increase in sources
is
> almost 100x.
> 
> I notice that the DShield data at
>
<http://isc.sans.org/port_details.html?port=137&repax=1&tarax=2&srcax=
1&pe
> r
> cent=N&days=70&Redraw=> shows a 1.5-2x surge in port 137 traffic
beginning
> about Jan. 6. So, others are apparently seeing increased NetBIOS
traffic
> volumes. I don't recall reading comments on the increase about the
time it
> first occurred. Did I miss them? And, does anyone have any idea
concerning
> the cause of the increase?
> 
> Cheers,
> 
> ---------------------------------------------------
> Bill McCarty
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list