[unisog] Heavy UDP port 137 scans today?
Peter Van Epp
vanepp at sfu.ca
Sun Sep 29 19:27:41 GMT 2002
Yep, me too although here it looks to have been going by 06:30 Friday
morning when the argus logs cycled. My guess is we are seeing either some new
worm or someone without antispoof filters that is forging scans from a single
site. It looks (at a quick manual look) to be doing a limited number of hosts
(perhaps as I have seen before less than the default scan detect limit of at
least dragon ...) in a subnet then switching both source IP and range in our
class B (although a number of our Cs are showing up as well).
Hmmm, one host going by is a local ADSL host. Trying to ping it gets
%80 packet loss. I wonder if this is a DDOS attack of some kind or if thats
just a byproduct of whatever this is.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
> We've seen a dramatic increase in UDP port 137 scans of our campus, starting
> last night (Friday) around 5:30pm PDT.
> The number of unique IPs scanning us on UDP ports has been around 5-25
> for the last two weeks, until yesterday when it hit 870 and so far
> today it's around 3200 IPs that have hit us with scans (almost all of
> them against port 137).
> Is anyone else seeing this?
> Mike Iglesias Internet: iglesias at draco.acs.uci.edu
> University of California, Irvine phone: 949-824-6926
> Network & Academic Computing Services FAX: 949-824-2069
More information about the unisog