On Fri, 29 Sep 2000, John Fraizer wrote:
It might be a good idea to implement filtering on the borders for TCP SYN from 0/0 to 0/0 port 7597. That way, at least it can't be used once it's installed.
I realize it is unrealistic to block 0/0 to 0/0 port 139 on the borders without breaking tons of winblows customers. It sure would be nice though. Especially considering the scope of things and how fast it's spreading.
We're also seeing a number of scans at a time. I wonder if anyone else is bothering to pass on reports to the originating netblock contacts. I don't know why we shouldn't block port 139. I blocked 137-139 for years when I was running our previous ISP and no complaints. As they say, let them use FTP! Good thought though, I'll have to add 7597 to our filters. Chuck Scott