Robert Foxworth wrote:
> I just ran a 2-hour-plus pkt capture on my public interface, catching
> everything except ARP (ARP is 80 to 90% of all ethernet traffic
> on my rr connection). There was a single attempt at port 137
> during this time, from 67.89.57.118. Normally I see 15 to 20
> different unID IPs in a day, well over half are trying 137. However it
> is just because these fellows think RR will be all Windows
> machines on THIS end, and are easy pickings. It is not a RR-centric
> issue; one never (or, should never) see any IP traffic to/from anyone
> else on his local HFC. I never do, just see unACK ARPs from the local
> gateways to various machines. BTW There are 6 subnets of /24 on my
> branch. Not too bad; last year there 13.
>
> Bottom line: I do not see any evidence of the 137 udp storm
> referred to by the original poster. What type address are you on, Jeff?
>
> Bob
>
Standard dynamic IP with RR. Tthe cable modem goes to a DHCP server
with NAT to the internal LAN. I guess I'll have to set the iptables to
drop 137 queries before the log requires a 40G partition for itself. :)
Here is a partial sample of the incoming log in the past hour, and the
activity is tapering off now. There are more hits here in an hour than I
usually see for a couple of days use:
216.116.119.123 137
65.123.124.46 137
202.80.34.150 137
168.226.120.102 137
209.194.160.86 137
64.207.5.165 137
211.158.32.125 137
204.200.27.101 137
216.170.5.157 137
211.201.22.218 137
200.45.218.77 137
210.221.15.14 137
217.40.203.10 137
211.185.63.97 137
217.162.152.52 137
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:12:09 EDT