[unisog] Heavy UDP port 137 scans today?

Peter Van Epp vanepp at sfu.ca
Sun Sep 29 19:27:41 GMT 2002

	Yep, me too although here it looks to have been going by 06:30 Friday
morning when the argus logs cycled. My guess is we are seeing either some new 
worm or someone without antispoof filters that is forging scans from a single 
site. It looks (at a quick manual look) to be doing a limited number of hosts
(perhaps as I have seen before less than the default scan detect limit of at
least dragon ...) in a subnet then switching both source IP and range in our
class B (although a number of our Cs are showing up as well). 
	Hmmm, one host going by is a local ADSL host. Trying to ping it gets
%80 packet loss. I wonder if this is a DDOS attack of some kind or if thats
just a byproduct of whatever this is.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> We've seen a dramatic increase in UDP port 137 scans of our campus, starting
> last night (Friday) around 5:30pm PDT.
> The number of unique IPs scanning us on UDP ports has been around 5-25
> for the last two weeks, until yesterday when it hit 870 and so far
> today it's around 3200 IPs that have hit us with scans (almost all of
> them against port 137).
> Is anyone else seeing this?
> Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
> University of California, Irvine       phone:       949-824-6926
> Network & Academic Computing Services  FAX:         949-824-2069

More information about the unisog mailing list