"Paul D. Robertson" wrote: > > On Sat, 12 Oct 2002, Mike McCandless wrote: > > > I have seen an increase in (unsolicited) traffic to port 137 at my > > firewall. My default > > You're likely seeing one of the Windows-based worms. Hmm. I would have thought that bugbear & co would result in port 139 (nbsession) activity. Unicast port 137 (nbname) activity occurs whenever someone on a windows box does a reverse lookup of an IP address. In other words: as soon as you connect out to a service on a windows box that does a reverse address lookup it will send 137/udp datagrams to you, asking for your netbios name. Seeing a (non-drastic) increase could simply mean that your users are connecting out to more places than before, or that there are more dumbasses out on the 'net that don't block netbios outbound. (I personally drop 137/udp without logging, even though I'm a fascist logger in all other aspects.) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 05:28:39 PDT