[unisog] Unusual volume: UDP:137 probes

Saracini, Bill SaraciniW at health.missouri.edu
Mon Sep 30 18:30:29 GMT 2002


On some of these scans, our log analysis shows targeted $C access attempts from the attacking addresses if a response is received from the target to the initial port 139 probe. 

-----Original Message-----
From: John Sage [mailto:jsage at finchhaven.com]
Sent: Monday, September 30, 2002 10:07 AM
To: Saracini, Bill
Cc: unisog at sans.org
Subject: Re: [unisog] Unusual volume: UDP:137 probes


On Mon, Sep 30, 2002 at 08:56:28AM -0500, Saracini, Bill wrote:
> We saw the same increase - about 15 times the normal volume.
However, we also had a machine creating rapid sequential multicast
groups causing havoc in our switching gear.  We are doing forensics,
but we'd like to know if this is the first wave of another attack
type.  Anybody see something similar this weekend?

"..first wave of another attack type.." -- do you mean the box
creating the multicast groups? What protocol?

As far as the UDP flood goes (and it continues here, unabated, at
this moment..) I've been wondering what *it's* up to.

Seems that it may be mapping; or, just something that's been turned on
over a *very* widespread scope and just allowed to run. Whatever it
is, it seems to be global in source, and is just going on and on and
on...

A new Internet "background noise"?



- John
-- 
"It's a troll! Run!^H^H^H^H Laugh!"

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705



More information about the unisog mailing list