[Dshield] Ten-fold increase in NetBIOS scans

Lauro, John jlauro at umflint.edu
Fri Feb 6 13:40:11 GMT 2004

Here is the top DPT I am dropping in one minute (just now) for our
class B:
    223 DPT=137
    230 DPT=5000
    964 DPT=4444
   1590 DPT=80
   1958 DPT=445
   2411 DPT=135
   3684 DPT=3127
   3952 DPT=3128
   4111 DPT=1080
   4528 DPT=139

DTP=137 generated by:
      3 SRC=
      7 SRC=
      8 SRC=
     40 SRC=
    165 SRC=

Total packets dropped/minute are running typical today, not sure about
distribution of ports.  Hmmm, checking stats for yesterday, dropped
packets was running triple normal.  I'll have to pull my argus logs to
see where that traffic was trying to go...  that will take longer to

> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
> Of Bill McCarty
> Sent: Friday, February 06, 2004 4:13 AM
> To: dshield
> Subject: [Dshield] Ten-fold increase in NetBIOS scans
> Hi all,
> Today, one of my networks having about 70 active hosts saw 9915
> probes having source and destination port 137, from 86 source IPs.
> intervals of about one second, each source sent a series of three or
> probes--I've seen series including as many as twenty-one probes--to
> target IP.
> Yesterday, I saw only 1622 NetBIOS scans having source and
> port
> 137, a traffic volume more typical of recent history. All of
> scans originated from a single source IP. Thus the one-day increase
> traffic volume is almost 10x. And, the one-day increase in sources
> almost 100x.
> I notice that the DShield data at
> r
> cent=N&days=70&Redraw=> shows a 1.5-2x surge in port 137 traffic
> about Jan. 6. So, others are apparently seeing increased NetBIOS
> volumes. I don't recall reading comments on the increase about the
time it
> first occurred. Did I miss them? And, does anyone have any idea
> the cause of the increase?
> Cheers,
> ---------------------------------------------------
> Bill McCarty
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list