Hi all. I have recently had the misfortune of coming across a DoS using port 139/netbios-ssn as a bounce point to create a denial of service on another UDP service. The service being attacked is none other than HLDS, the halflife dedicated server package for counter strike. What appear to be happening is the attacker sends minimum sized packets to the reflector on port 139 using source addr/port of our game server. HLDS in its infinite wisdom replies to the incoming packet with a 1195byte datagram, which is 100 times larger than the original packet from the attacker. We've noticed about 1Mbit outgoing due to this, being attacked by one IP. Not sure if this concerns anyone, however with a decent amplifier network this could be a good way for someone to deal to your outbound. Heres what I'm seeing: 14:43:47.197860 62.93.201.241.139 > 210.54.151.19.27015: udp 10 14:43:47.197927 62.93.201.241.139 > 210.54.151.19.27015: udp 10 14:43:47.197994 62.93.201.241.139 > 210.54.151.19.27015: udp 10 14:43:47.198061 62.93.201.241.139 > 210.54.151.19.27015: udp 10 14:43:47.201615 210.54.151.19.27015 > 62.93.201.241.139: udp 1195 (DF) 14:43:47.201715 210.54.151.19.27015 > 62.93.201.241.139: udp 1195 (DF) 14:43:47.201816 210.54.151.19.27015 > 62.93.201.241.139: udp 1195 (DF) 14:43:47.201917 210.54.151.19.27015 > 62.93.201.241.139: udp 1195 (DF) You get the idea :) Cheers James Spooner