Re: Odd UPD scan

[billp () ROCKETCASH COM (Bill Pennington)]

Well this is what I found. This is a little sloppy as I have had a rough
weekend:-).

Basically I grep'ed -c my daily firewall logs for /137, each line should
represent one packet dropped. These numbers might be a bit low since I
am logging to syslog so you will get Last line repeated X times and that
will not show up in my grep.

So... Here are my daily counts

03-12-2000 2052
03-13-2000 5969
03-14-2000 2478
03-15-2000 2946
03-16-2000 2193
03-17-2000 919
03-18-2000 2624

total 19181

So these are packets. I could not find what the standard UDP Netbios
query packet length was so I looked at a snort box I had access to and
it seems all the UDP/137 - UDP/137 packet sizes are 58 bytes in length.

So if we go with that number

19181 packets x 58 bytes per packet = 1112498 bytes = a little over 1
meg in a week.

The site that these stats are from does not run any Netbios services and
does not run IIS. It has SMTP, HTTP and HTTPS ports open for inbound. So
this is all traffic we did not "request". I was trying to think of
another service that caused this amount of unwanted traffic and I could
not. I mean IPX/SPX and Appletalk are generally very noisy but TCP/UDP
should be a bit more elegant IMHO.

It would be intersting to find out how much bandwidth is getting chewed
up at sites like yahoo.com and amazon.com. I bet it is quite a lot.
Maybe ISP's should block this traffic outbound by default. I think that
would go a long way it combating this bandwitdh hog/security risk. That
is probally just a dream since a lot do not even stopped outbound
spoofed traffic.

Bill Pennington wrote:
> Thats funny Graeme I was thinking the same thing (M$ eating bandwidth)
> last night while falling asleep. I mean I turned of netbios detects on
> my IDS cause they where blabing every second and I don't run NetBios
> services anyway, but my firwall logs are full of denied UDP/137 traffic.
> For people that are charged for bandwidth this could be a real issue.
>
> Maybe when I have some time I will do a few calculations to determine
> how much traffic I get to UDP/137 on an average day.
>
> Graeme Fowler wrote:
> > On 17-Mar-2000 Bill Pennington wrote:
> > > I have seen the same around the networks I watch lately. Since it
> > > didn't seem like a scan I had seen before (most scans for Netbios
> > > have a high source port) I hae just been ignoring them. I had also
> > > noticed that they come in bunches then disappear so I chalked it up to
> > > something misconfigured somewhere. I would be interested if anyone has
> > > other ideas about this.
> >
> > Misconfigured, maybe. Programmatical, almost certainly.
> >
> > It's a Windoze-ism. We noticed large quantities of these NetBIOS UDP
> > port 137 packets inbound, particularly to our webserver. A quick nmap
> > -O showed us that the systems in question were almost always identified
> > trivially as Windows machines.
> >
> > When tested in-house, we noticed that these packets came in bunches of
> > three every time a new connection was established over TCP from machine
> > to machine. After a little digging we found that the MS Windows IP
> > stack tries to do a NB name lookup of the destination machine by
> > probing on the NB-Name Service port (137 UDP), presumably because of
> > the <ahem> 'integrated' way IE/MS Explorer are now installed on recent
> > Windows versions.
> >
> > It's almost as though it can't tell the difference between local and
> > remote machines. Sigh.
> >
> > I may have already proffered this as an explanation on this list
> > recently but I have to tell so many people this one I forget whether I
> > have or not...
> >
> > Quick question: If every single MS Windows machine *in the world* is
> > doinf this, how much bandwidth are they using?
> >
> > Graeme
> >
> > --
> > Graeme Fowler
> > Network Officer, Infrastructure & Networks Group
> > Loughborough University Computing Services
> > +44 1509 228426
>
> --
>
> Bill Pennington
> Senior IT Manager
> Rocketcash
> billp () rocketcash com
> http://www.rocketcash.com

--

Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com