cschneeTELEMEDIA.CH

• Next message: Ed Padin: "Re: 8 hours of pinging"
• Previous message: Dwight Schauer: "rooted by r0x - from address 212.177.241.127"
• In reply to: Bryan Andersen: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
• Next in thread: Pavel Kankovsky: "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)"
• Reply: Christoph Schneeberger: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I've seen this behavior when somebody runs Webtrends (i.e.) nightly.
Webtrends then tries to resolve huge amounts of ip's (assumed the server
doesn't log with lookup). I've found that in some circumstances it can
happen even if the PTR lookup for a give ip works fine. Because webtrends
looks up so many ip's in a short time it can ovehaul a small DNS server and
after a timeout it tries then to resolve the address over port 137
(netbios-name).

Hope this helps.
Regards,
Christoph Schneeberger
SCS Telemedia

At 16:06 28.03.2000 -0600, Bryan Andersen wrote:
>I too have seen this behavior. I block them at my firewall, but the
>numbers have dramatically increased for port 137 scans that hit every
>IP# in my micro net address range. Before Feb I'd see one a month at
>most.
>
>For the week of * I've seen:
> Feb 27: 3
> Mar 5: 5
> Mar 12: 8
> Mar 19: 4
> Mar 26: 3 sofar
>

• Next message: Ed Padin: "Re: 8 hours of pinging"
• Previous message: Dwight Schauer: "rooted by r0x - from address 212.177.241.127"
• In reply to: Bryan Andersen: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
• Next in thread: Pavel Kankovsky: "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)"
• Reply: Christoph Schneeberger: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]