Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

UDP Bomb

Getting a ton of these alarms, any ideas why or how to prevent? I assume port 137 broadcasts are normal Windows operation. I wouldn't think that should trigger an alarm. The sensor is on a LAN segment with servers keeping an eye on traffic from other LANs to these servers.

p.s. I know I can filter out the alarm on the sensor.


2002/05/28 12:10:34

Source: Destination:

Signature: 4050:0 UDP Bomb 2

NSDB: /nsdb/expsig_4050.html

New Member

Re: UDP Bomb

I get the same darned thing.. Thousands upon thousands.. determined it was legit so i just demoted UDP Bomb to level 2(information only) so it wouldn't annoy us.

Cisco Employee

Re: UDP Bomb

We've not heard of a large increase in this alarm's false positive rate before. Could either of the gentlemen please email or post what IDS version they are running? Also, a general idea of what your Windows network looks like? what software version are you running predominately, whats the domain structure if any (NT4, Win2K AD, XP, .NET???) , predominate client? I'm wondering if something changed in XP or .NET servers that is causing this.

Scott C.

New Member

Re: UDP Bomb

Might have my own answer. It might be our Norton AV mgr. polling all clients. Checking.

New Member

Re: UDP Bomb

I've seen it trigger on the use of Cisco's VPN client software......

CreatePlease to create content