[unisog] Unusual volume: UDP:137 probes

John Sage jsage at finchhaven.com
Mon Sep 30 15:06:32 GMT 2002

On Mon, Sep 30, 2002 at 08:56:28AM -0500, Saracini, Bill wrote:
> We saw the same increase - about 15 times the normal volume.
However, we also had a machine creating rapid sequential multicast
groups causing havoc in our switching gear.  We are doing forensics,
but we'd like to know if this is the first wave of another attack
type.  Anybody see something similar this weekend?

"..first wave of another attack type.." -- do you mean the box
creating the multicast groups? What protocol?

As far as the UDP flood goes (and it continues here, unabated, at
this moment..) I've been wondering what *it's* up to.

Seems that it may be mapping; or, just something that's been turned on
over a *very* widespread scope and just allowed to run. Whatever it
is, it seems to be global in source, and is just going on and on and

A new Internet "background noise"?

- John
"It's a troll! Run!^H^H^H^H Laugh!"

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

More information about the unisog mailing list