Re: UDP port 137 packets sent to 70.255.224.194 (and to other hosts/nets as well)

[Pavel Lozhkin <pauel () BALAKOVO RU>]

Felipe Alfaro wrote:

> Hello,
>
> I have configured our Cisco 801 router to block all
> incoming/outgoing NetBIOS traffic (TCP/UPD ports 137-139).
> I have set an specific filter for this and I have enabled
> logging.

[other text has skiped]

And here is my 2 cents:

For last week i sent 4 or 5 complains about UDP scan (138 port). I have
one answer from iana.org,they wrote: "It is legal traffic and do not
worry about it and contact to your ISP for more information".It was 2
day to go.Today i sent him a next complain about new scan....

In first: I am the  ISP myself ;)
In second: This traffic just has been directed not to one host,in the
log i saw this:

Aug-30-01:37:02 UDP from 169.254.100.72:137 to XXX.XX.XXX.16:137
Aug-30-01:37:06 UDP from 169.254.100.72:137 to XXX.XXX.XXX.17:137

The IP address is increasing on 1 per each  packet.

Today scanners was a 169.254.100.72 and 132.239.105.59.

What happened ? This scans began only one week to go...... Before it i
did not see it


--
** The hedgehog is a proud bird, he does not fly without kick **

Pauel
System administrator
ICQ UIN 39596913 8990192
Phone (7-84570)-52525
      (7-84570)-40658

Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature