[31581] in North American Network Operators' Group
Re: Port 139 scans
daemon@ATHENA.MIT.EDU (Charles Scott)
Fri Sep 29 15:48:45 2000
Date: Fri, 29 Sep 2000 15:26:49 -0400 (EDT)
From: Charles Scott <cscott@gaslightmedia.com>
To: John Fraizer <nanog@EnterZone.Net>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.21.0009291458260.2910-100000@Overkill.EnterZone.Net>
Message-ID: <Pine.LNX.4.04.10009291520270.17601-100000@harbor.gaslightmedia.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 29 Sep 2000, John Fraizer wrote:
> It might be a good idea to implement filtering on the borders for TCP SYN
> from 0/0 to 0/0 port 7597. That way, at least it can't be used once it's
> installed.
>
> I realize it is unrealistic to block 0/0 to 0/0 port 139 on the borders
> without breaking tons of winblows customers. It sure would be nice
> though. Especially considering the scope of things and how fast it's
> spreading.
We're also seeing a number of scans at a time. I wonder if anyone else
is bothering to pass on reports to the originating netblock contacts.
I don't know why we shouldn't block port 139. I blocked 137-139 for
years when I was running our previous ISP and no complaints. As they say,
let them use FTP! Good thought though, I'll have to add 7597 to our
filters.
Chuck Scott
