Security Incidents mailing list archives
Re: Odd UPD scan
From: billp () ROCKETCASH COM (Bill Pennington)
Date: Mon, 20 Mar 2000 16:19:09 -0800
Well this is what I found. This is a little sloppy as I have had a rough weekend:-). Basically I grep'ed -c my daily firewall logs for /137, each line should represent one packet dropped. These numbers might be a bit low since I am logging to syslog so you will get Last line repeated X times and that will not show up in my grep. So... Here are my daily counts 03-12-2000 2052 03-13-2000 5969 03-14-2000 2478 03-15-2000 2946 03-16-2000 2193 03-17-2000 919 03-18-2000 2624 total 19181 So these are packets. I could not find what the standard UDP Netbios query packet length was so I looked at a snort box I had access to and it seems all the UDP/137 - UDP/137 packet sizes are 58 bytes in length. So if we go with that number 19181 packets x 58 bytes per packet = 1112498 bytes = a little over 1 meg in a week. The site that these stats are from does not run any Netbios services and does not run IIS. It has SMTP, HTTP and HTTPS ports open for inbound. So this is all traffic we did not "request". I was trying to think of another service that caused this amount of unwanted traffic and I could not. I mean IPX/SPX and Appletalk are generally very noisy but TCP/UDP should be a bit more elegant IMHO. It would be intersting to find out how much bandwidth is getting chewed up at sites like yahoo.com and amazon.com. I bet it is quite a lot. Maybe ISP's should block this traffic outbound by default. I think that would go a long way it combating this bandwitdh hog/security risk. That is probally just a dream since a lot do not even stopped outbound spoofed traffic. Bill Pennington wrote:
Thats funny Graeme I was thinking the same thing (M$ eating bandwidth) last night while falling asleep. I mean I turned of netbios detects on my IDS cause they where blabing every second and I don't run NetBios services anyway, but my firwall logs are full of denied UDP/137 traffic. For people that are charged for bandwidth this could be a real issue. Maybe when I have some time I will do a few calculations to determine how much traffic I get to UDP/137 on an average day. Graeme Fowler wrote:On 17-Mar-2000 Bill Pennington wrote:I have seen the same around the networks I watch lately. Since it didn't seem like a scan I had seen before (most scans for Netbios have a high source port) I hae just been ignoring them. I had also noticed that they come in bunches then disappear so I chalked it up to something misconfigured somewhere. I would be interested if anyone has other ideas about this.Misconfigured, maybe. Programmatical, almost certainly. It's a Windoze-ism. We noticed large quantities of these NetBIOS UDP port 137 packets inbound, particularly to our webserver. A quick nmap -O showed us that the systems in question were almost always identified trivially as Windows machines. When tested in-house, we noticed that these packets came in bunches of three every time a new connection was established over TCP from machine to machine. After a little digging we found that the MS Windows IP stack tries to do a NB name lookup of the destination machine by probing on the NB-Name Service port (137 UDP), presumably because of the <ahem> 'integrated' way IE/MS Explorer are now installed on recent Windows versions. It's almost as though it can't tell the difference between local and remote machines. Sigh. I may have already proffered this as an explanation on this list recently but I have to tell so many people this one I forget whether I have or not... Quick question: If every single MS Windows machine *in the world* is doinf this, how much bandwidth are they using? Graeme -- Graeme Fowler Network Officer, Infrastructure & Networks Group Loughborough University Computing Services +44 1509 228426-- Bill Pennington Senior IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
-- Bill Pennington Senior IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
Current thread:
- Odd UPD scan David Meissner (Mar 15)
- Re: Odd UPD scan Bill Pennington (Mar 16)
- Re: Odd UPD scan Graeme Fowler (Mar 20)
- Re: Odd UPD scan Grzegorz Janoszka (Mar 17)
- <Possible follow-ups>
- Re: Odd UPD scan Randy Mclean (Mar 17)
- Re: Odd UPD scan Rainer Weikusat (Mar 17)
- Re: Odd UPD scan Bill Pennington (Mar 20)
- Re: Odd UPD scan Pavel Kankovsky (Mar 21)
- NetBIOS info Robert Graham (Mar 21)
- Re: NetBIOS info Bill Pennington (Mar 22)
- Strange probe Stuart Staniford-Chen (Mar 24)
- Re: NetBIOS info Robert Graham (Mar 27)
- Syn scans to 4045 Joey McAlerney (Mar 27)
- Re: Odd UPD scan Bill Pennington (Mar 16)