Re: [SLUG] scans

From: Ian C. Blenke (icblenke@nks.net)
Date: Fri Dec 13 2002 - 10:45:46 EST


On Thursday 12 December 2002 19:50, Robert Foxworth wrote:
> I just ran a 2-hour-plus pkt capture on my public interface, catching
> everything except ARP (ARP is 80 to 90% of all ethernet traffic
> on my rr connection). There was a single attempt at port 137
> during this time, from 67.89.57.118. Normally I see 15 to 20
> different unID IPs in a day, well over half are trying 137. However it
> is just because these fellows think RR will be all Windows
> machines on THIS end, and are easy pickings. It is not a RR-centric
> issue; one never (or, should never) see any IP traffic to/from anyone
> else on his local HFC. I never do, just see unACK ARPs from the local
> gateways to various machines. BTW There are 6 subnets of /24 on my
> branch. Not too bad; last year there 13.

I've been running arpwatch in parallel with the DHCP packet capture on my
DOCSIS segment (T17a-MLKJrBlvd-Tampa-66) for the past 6 months.

An interesting factoid: there are precisely six (6) unique MAC addresses that
I've been able to capture on my segment.

> Bottom line: I do not see any evidence of the 137 udp storm
> referred to by the original poster. What type address are you on, Jeff?

On my old legacy motorola TW segment, I did seem to get quite a lot of
broadcast Microsoft traffic.

Do you have a legacy Motorola cablemodem? Or a "newer" DOCSIS cablemodem like
the Ericson?

 - Ian



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:13:45 EDT