port 137 observation

[IMM]

I noticed a rather precipitous drop in activity.
http://isc.incidents.org/port_details.html?port=137

Anyone know the explanation? Did the ISP's or nodes get together to block traffic on the port?

[Alwill]

Could be a combination of those factors plus other initiatives such as infected computers being "cleansed".

My UDP Port 137 has been under constant attack from the outset (27 Sept.) and Zone Alarm has had to work overtime. I am on cable 24/7 and at the height of the blitz, I was receiving in the order of 2200 hits every 24 hours. This figure started to decrease towards the end of November when it dropped to approx 1700 while 950 attacks were recorded in the last 24 hours.

My ISP, the biggest in Australia (Telstra BigPond), who I approached on the problem (even suggesting a change in my static IP) said it couldn't do anything (par for the course with this mob). However, about 3 weeks ago I installed the myNetWatchman program and I give some of the credit to the drop-off to it.

I am firmly of the opinion that the majority of these scans came from computers which had been infected with the Opaserve worm.

[IMM]

I agree about opaserv - I was watching and although bugbear et. al. are also partly responsible the sharp rise coincided with the timeframe for opaserv better than the others.

I don't really see people cleaning it as the solution tho', unless M$ has been putting the netbios name fix in behind their backs (and they've been faithfully going to the update site )

Still wondering - haven't caught anything newsy about it.

---edit
I'm beginning to wonder if it isn't an artifact of the way they gather and plot data - or a breakdown on their side?

[AnnMarie]

Significant NetBIOS traffic (UDP) is caused by this worm. One of the early indications of this worms activity was the increase in port 137 hits on firewalls. This traffic is caused by the worm issuing WINS queries across contiguous IP ranges. The spreading mechanism observed in testing is outlined below:

Opaserv