Security Incidents mailing list archives
Re: Dispostion of UPD/137 packets?
From: billp () ROCKETCASH COM (Bill Pennington)
Date: Wed, 16 Feb 2000 09:49:21 -0800
Thanks for the info guys. I guess I should have been a bit clearer. I know what UDP/137 is for and my firewall drops them silently. I have been puzzled recently by UDP/137 "floods", one IP address trying UDP/137 over and over again. It just didn't make much sense. Again my apologies for not being clear in my original post, I was having an I hate M$ moment. :-) "Miller, Toby" wrote:
Here is the microsoft link on ports 137-139 http://support.microsoft.com/support/kb/articles/Q150/5/43.ASP-----Original Message----- From: Miller, Toby Sent: Wednesday, February 16, 2000 8:36 AM To: 'Bill Pennington'; INCIDENTS () SECURITYFOCUS COM Subject: RE: Dispostion of UPD/137 packets? If someone was trying to map you would see 137/udp,138/udp and 139/tcp. There is a paper from microsoft on what ports it's programs use and for what purpose they use them for. I don't have the url yet. When I get it I will foward it to the list -----Original Message----- From: Bill Pennington [SMTP:billp () ROCKETCASH COM] Sent: Tuesday, February 15, 2000 2:33 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Dispostion of UPD/137 packets? Ugghhh I get a bunch of UDP/137 packets flying at me firewall. I know this is "normal" is some (most?) cases. It seems that IIS and other NT based web services (stats packages and what not) will attempt to query a server with 3 UDP/137 packets in a short burst then go away. I guess I have to live with this. My real question is how can you determine if a UDP/137 is random cruft or a attempt to comprise your network? Sometimes what appears to be an straight forward mapping/info gathering/crack attempt could really be some user whose Win9x box has gone crazy. How do you guys/gals determine when a UDP/37 packet is worthy of a nasty gram and when it is not? -- Bill Pennington IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
-- Bill Pennington IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
Current thread:
- Re: Dispostion of UPD/137 packets? Bill Pennington (Feb 16)