Home page logo

nanog logo nanog mailing list archives

Re: RPC errors
From: Jack Bates <jbates () brightok net>
Date: Mon, 11 Aug 2003 17:43:10 -0500

Mark Segal wrote:
I just put an access list on one of our cores with some spare cpu cycles..
And 10% of the traffic looks like port 135 calls.....  Anyone else see this?
Did I break anything legitimate?

There is legitimate use for 135, although normally it is not used in the wild much. From what I can see, the 10% traffic mark is about average and should mostly be infected systems. I've seen some tight-in network scans from one of my networks to the others (within the same /18). Still monitoring loads before I decide to crank in lists between networks to limit cross infection. Tomorrow starts the fun... EU contact.

I plan to open up inbound first and let user's get infected, tracking and purifying my network for about a week, perhaps two. Then I'll reopen the network for full traffic if it looks clean enough. Emergency "Good Neighbor" policy. :)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]