Security Incidents mailing list archives

Dispostion of UPD/137 packets?

From: billp () ROCKETCASH COM (Bill Pennington)
Date: Tue, 15 Feb 2000 11:33:07 -0800


Ugghhh I get a bunch of UDP/137 packets flying at me firewall. I know
this is "normal" is some (most?) cases. It seems that IIS and other NT
based web services (stats packages and what not) will attempt to query a
server with 3 UDP/137 packets in a short burst then go away. I guess I
have to live with this. My real question is how can you determine if a
UDP/137 is random cruft or a attempt to comprise your network? Sometimes
what appears to be an straight forward mapping/info gathering/crack
attempt could really be some user whose Win9x box has gone crazy. How do
you guys/gals determine when a UDP/37 packet is worthy of a nasty gram
and when it is not?


--

Bill Pennington
IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com

Current thread:

ports ports and more ports Tyler (Feb 11)
- Re: ports ports and more ports David Getchell (Feb 15)
- Dispostion of UPD/137 packets? Bill Pennington (Feb 15)
- Re: ports ports and more ports Robert Lau (Feb 15)
- succesful crack Bob Lockie (Feb 15)
  - Re: succesful crack Gene Harris (Feb 16)
    - Re: succesful crack **read nine (Feb 17)
    - Re: succesful crack R. Gupta (Feb 17)
- Port Scanning (perhaps related to "A very strange port scan") Warren Belfer (Feb 15)
- MASSIVE ssh attack attempt Mark Shirley (Feb 15)
  - Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)
    - Re: MASSIVE ssh attack attempt Jose Nazario (Feb 17)
    - Re: MASSIVE ssh attack attempt Brendan Grieve (Feb 17)

(Thread continues...)