|
Security Incidents
mailing list archives
Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity
From: cschnee () TELEMEDIA CH (Christoph Schneeberger)
Date: Wed, 29 Mar 2000 10:26:04 +0200
Hi,
I've seen this behavior when somebody runs Webtrends (i.e.) nightly.
Webtrends then tries to resolve huge amounts of ip's (assumed the server
doesn't log with lookup). I've found that in some circumstances it can
happen even if the PTR lookup for a give ip works fine. Because webtrends
looks up so many ip's in a short time it can ovehaul a small DNS server and
after a timeout it tries then to resolve the address over port 137
(netbios-name).
Hope this helps.
Regards,
Christoph Schneeberger
SCS Telemedia
At 16:06 28.03.2000 -0600, Bryan Andersen wrote:
I too have seen this behavior. I block them at my firewall, but the
numbers have dramatically increased for port 137 scans that hit every
IP# in my micro net address range. Before Feb I'd see one a month at
most.
For the week of * I've seen:
Feb 27: 3
Mar 5: 5
Mar 12: 8
Mar 19: 4
Mar 26: 3 sofar
 By Date 
By Thread
Current thread:
|
Intro
