Security Incidents mailing list archives
Re: Spoofed IP trying to connect to port 137
From: Trevor Hawthorn <thawthor () UU NET>
Date: Tue, 21 Nov 2000 18:20:34 -0500
This is someone's mis-config'd network leaking RFC-1918 (internal) addresses. These addresses are probobly not spoofed (maliciously crafted) but rather this person's NAT mechanism isn't functioning properly. There's no reason an external scanner would want to spoof his/her/its src address if they ever wanted to see the results of the scan. It's very common for networks to see lot of Windows networking noise at their edge with all the worms and misconfigs that are out there. Trevor On Mon, 20 Nov 2000, Jason wrote:
Anyone seeing lots of spoofed IP's trying to connect to port 137? I am seeing a lot of traffic from spoofed IP's. They are mainly to port 137 so maybe it is just a mass search for zombie targets? They aren't giving up easily. A couple of the IP's. 10.1.100.55 100.1.2.1 Jason Lewis http://www.jasonlewis.net
Current thread:
- Spoofed IP trying to connect to port 137 Jason (Nov 22)
- Re: Spoofed IP trying to connect to port 137 Trevor Hawthorn (Nov 24)