Security Incidents mailing list archives
Re: Odd UPD scan
From: G.E.Fowler () LBORO AC UK (Graeme Fowler)
Date: Mon, 20 Mar 2000 13:34:18 -0000
On 17-Mar-2000 Bill Pennington wrote:
I have seen the same around the networks I watch lately. Since it didn't seem like a scan I had seen before (most scans for Netbios have a high source port) I hae just been ignoring them. I had also noticed that they come in bunches then disappear so I chalked it up to something misconfigured somewhere. I would be interested if anyone has other ideas about this.
Misconfigured, maybe. Programmatical, almost certainly. It's a Windoze-ism. We noticed large quantities of these NetBIOS UDP port 137 packets inbound, particularly to our webserver. A quick nmap -O showed us that the systems in question were almost always identified trivially as Windows machines. When tested in-house, we noticed that these packets came in bunches of three every time a new connection was established over TCP from machine to machine. After a little digging we found that the MS Windows IP stack tries to do a NB name lookup of the destination machine by probing on the NB-Name Service port (137 UDP), presumably because of the <ahem> 'integrated' way IE/MS Explorer are now installed on recent Windows versions. It's almost as though it can't tell the difference between local and remote machines. Sigh. I may have already proffered this as an explanation on this list recently but I have to tell so many people this one I forget whether I have or not... Quick question: If every single MS Windows machine *in the world* is doinf this, how much bandwidth are they using? Graeme -- Graeme Fowler Network Officer, Infrastructure & Networks Group Loughborough University Computing Services +44 1509 228426
Current thread:
- Odd UPD scan David Meissner (Mar 15)
- Re: Odd UPD scan Bill Pennington (Mar 16)
- Re: Odd UPD scan Graeme Fowler (Mar 20)
- Re: Odd UPD scan Grzegorz Janoszka (Mar 17)
- <Possible follow-ups>
- Re: Odd UPD scan Randy Mclean (Mar 17)
- Re: Odd UPD scan Rainer Weikusat (Mar 17)
- Re: Odd UPD scan Bill Pennington (Mar 20)
- Re: Odd UPD scan Pavel Kankovsky (Mar 21)
- NetBIOS info Robert Graham (Mar 21)
- Re: NetBIOS info Bill Pennington (Mar 22)
- Strange probe Stuart Staniford-Chen (Mar 24)
- Re: NetBIOS info Robert Graham (Mar 27)
- Syn scans to 4045 Joey McAlerney (Mar 27)
- Re: Odd UPD scan Bill Pennington (Mar 16)