Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dispostion of UPD/137 packets?

From: billp () ROCKETCASH COM (Bill Pennington)
Date: Wed, 16 Feb 2000 09:49:21 -0800

Thanks for the info guys. I guess I should have been a bit clearer. I
know what UDP/137 is for and my firewall drops them silently. I have
been puzzled recently by UDP/137 "floods", one IP address trying UDP/137
over and over again. It just didn't make much sense.

Again my apologies for not being clear in my original post, I was having
an I hate M$ moment. :-)

"Miller, Toby" wrote:


Here is the microsoft link on ports 137-139
http://support.microsoft.com/support/kb/articles/Q150/5/43.ASP


-----Original Message-----
From: Miller, Toby
Sent: Wednesday, February 16, 2000 8:36 AM
To:   'Bill Pennington'; INCIDENTS () SECURITYFOCUS COM
Subject:      RE: Dispostion of UPD/137 packets?

If someone was trying to map you would see 137/udp,138/udp and 139/tcp.
There is a paper from microsoft on what ports it's programs use and for
what purpose they use them for. I don't have the url yet. When I get it I
will foward it to the list

      -----Original Message-----
      From:   Bill Pennington [SMTP:billp () ROCKETCASH COM]
      Sent:   Tuesday, February 15, 2000 2:33 PM
      To:     INCIDENTS () SECURITYFOCUS COM
      Subject:        Dispostion of UPD/137 packets?

      Ugghhh I get a bunch of UDP/137 packets flying at me firewall. I
know
      this is "normal" is some (most?) cases. It seems that IIS and other
NT
      based web services (stats packages and what not) will attempt to
query a
      server with 3 UDP/137 packets in a short burst then go away. I guess
I
      have to live with this. My real question is how can you determine if
a
      UDP/137 is random cruft or a attempt to comprise your network?
Sometimes
      what appears to be an straight forward mapping/info gathering/crack
      attempt could really be some user whose Win9x box has gone crazy.
How do
      you guys/gals determine when a UDP/37 packet is worthy of a nasty
gram
      and when it is not?



      --


      Bill Pennington
      IT Manager
      Rocketcash
      billp () rocketcash com
      http://www.rocketcash.com


--

Bill Pennington
IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com
Previous By Date Next
Previous By Thread Next

Current thread: