Re: Spoofed IP trying to connect to port 137

[Trevor Hawthorn <thawthor () UU NET>]

This is someone's mis-config'd network leaking RFC-1918 (internal)
addresses.

These addresses are probobly not spoofed (maliciously crafted) but rather
this person's NAT mechanism isn't functioning properly.

There's no reason an external scanner would want to spoof his/her/its src
address if they ever wanted to see the results of the scan. It's very
common for networks to see lot of Windows networking noise at their edge
with all the worms and misconfigs that are out there.

Trevor

On Mon, 20 Nov 2000, Jason wrote:

> Anyone seeing lots of spoofed IP's trying to connect to port 137?  I am
> seeing a lot of traffic from spoofed IP's.  They are mainly to port 137 so
> maybe it is just a mass search for zombie targets?  They aren't giving up
> easily.
>
> A couple of the IP's.
>
> 10.1.100.55
> 100.1.2.1
>
> Jason Lewis
> http://www.jasonlewis.net