The number of machines probing every IP in our range with UDP/137 seems to be up substantially today, to the point where it's practically DoSsing some of our gateway equipment. These are not routine Windows/NetBIOS activity. Although the "Packet was broadcast" flag is set in the NetBIOS header, they are in fact being sent unicast. The source port in my captured samples is always the same for any given source address. The FCS/Checksum is always wrong. It seems to be random, which argues for a tool that doesn't care about setting it rather than that the address/etc has been spoofed. Are other people seeing this? Anyone know what's causing it? David Gillett ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed May 14 2003 - 17:22:11 PDT