There has been a steady rise in port 1433 activity over the last week here which is confirmed by ISC, (www.isc.sans.org).

Yesterday at 12:20 EDT Snort began alerting on MS-SQL version overflow attempts and MS-SQL Worm propogation attempts on port 1434. My external sensor has logged some 300 attempts since that time. Anyone else seeing this?

Interestingly enough, with all the 1433 scans I have received in the last week the 1434 attempts are untargetted, (random scans at IP's that don't exist). Since both ports are blocked on my network it implies that the 1433 scan was actually unrelated to the 1434 attempts.

Any thoughts/information?