[Dshield] Sudden Massive increase in DPT=137

Lauro, John jlauro at umflint.edu
Thu Mar 25 22:34:54 GMT 2004

I am just running iptables on a 2.4.something kernel.  I have the logs
going to /dev/shm so that I can keep up, and cron rotates it once an
minute and keeps a count that is averaged every 5 minutes into mrtg,
etc...  We have a class B (65K addresses) network.  I also run argus
on the same box to keep a more long term log, but that doesn't
generate near the load that the logs from iptables generate...  There
is a very noticable JUMP in dropped packets this morning, which caused
me to investigate a little...

To generate the top ports, or how many sorces, etc...  I just run
against the last 1 minute file a few awk ... | sort | uniq | wc -l
script, or a awk ... | sort | uniq -c | sort -n | tail to get the top
talkers, etc...  Along with a fgrep DPT=137 or whatever else is

The rate actually picked up to over 12M packets/hour of DPT=137 to us,
but started decling (a little) a hour ago (at 4AM), and now is closer
to 10M packets/hour.  Most of the sources are different then what I
was seeing earlier in the day, but about 10% showed up in both 1
minute samples.  The last time I seen this much bad traffic sustained
for this long was from a new worm.  Of course with UDP, the source IPs
could be easily spoofed, any maybe they are largely from the same /8,
but LEN=58 on all the packets so that seems unlikely to be useful for
spoofed packets.

> -----Original Message-----
> From: list-bounces at dshield.org 
> [mailto:list-bounces at dshield.org] On Behalf Of Tony Earnshaw
> Sent: Thursday, March 25, 2004 2:21 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Sudden Massive increase in DPT=137
> tor, 25.03.2004 kl. 15.47 skrev Lauro, John:
> > Is there a new virus/worm?
> >  
> > I've just seen a massive increase in traffic SPT=137, DPT=137, 
> > prot=UDP starting around 8AM.
> >  
> > We are blocking an extra 8 million packets an hour right 
> now (varies, 
> > but probably about 5X normal), and it's been going on for 
> almost two 
> > hours now.
> >  
> > A fair amount of of sources.  About 500 in a 1 minute 
> sample, but also 
> > lots of packets from each source...  I'll hold onto a one minute 
> > sample and compare later to see if it's the same or different 
> > sources....
> It wouldn't ever hurt to learn what software/hardware 
> "discovered" this. For my part I'm not experiencing this, but 
> can't compare :( I'm running iptables on kernel 2.6.4 (Linux, 
> of course) and am only connected sporadically to the Internet.
> --Tonni
> -- 
> mail: billy - at - billy.demon.nl
> http://www.billy.demon.nl
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list