Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity

From: jeffc () SHORE NET (Jeffrey D. Carter)
Date: Sat, 25 Mar 2000 13:56:28 -0500

I apologize for the volume of this particular log extract, but I
believe there is an important trend here that deserves further study and
correlation checking. My offhand guess is some new, stupid, Windows 2000
behavior, but my only evidence is that this involves a MS specific protocol,
and the strange activity went from near zero to fast-growing about Feb 15.

The logs below represent every single UDP port 137 probe received at the
destination address (209.58.151.30) since a few minutes after midnight Dec
31, 1999 to March 25, 2000 (a period of about 86 days).  During that time,
I have received 58 probes to this address. Notice that exactly zero of
these probes were received during the first 35 days covered (all of the
month of January plus a few).

I know where UDP 137 queries historically come from: some Microsoft O/Ses,
expecially if misconfigured, will query NetBIOS Name Service instead
of rDNS. Even more-correctly configured ones will consult NetBIOS NS if
the rDNS lookup fails. This behavior explains Port 137 probes seen from
Internet servers: when a browser, mail client, or other network application
accesses a server, the server may attempt to perform name resolution based
on the IP address, and will cause (if there are configuration errors or
rDNS failures) NetBIOS name lookups.

However, the source addresses below do not represent network servers
(some of them are dialup ports, and others are residential DSL and Cable
modems according to _their_ rDNS), and many of them occurred when I can
unequivocally state that no outbound acces to _any_ network server was
occurring in close proximity to the probe (I rarely surf at 5AM local
time, for instance). In addition, there has been no interruption of rDNS
service since it was established for this address last year (resulting
in a dramatic reduction in Port 137 probes at the time). And there are NO
accessible services at this address.

There is one other anomoly in the data below: 4 of the probe clumps
include an interleaved series of a remote address and an address in the
169.254.0.0 netblock. These couldn't possibly be coincidence given the
timing (137 probes generally arrive in clumps of 3: these duplicates are
eliminated in the sequence below _except_ in the cases where probes were
seen from multiple sources simultaneously). Note the groups at Feb 15,
Mar 3, Mar 10, and Mar 18. This is significant because netblock 169.254
is reserved for internal network usage, and should never be routed over
the Internet. This particular pattern is responsible for 20 of the 58
probes shown here (at 5 packets per).

So, if we look at weekly volume, folding the interleaved 169.254 stuff down
to one 'probe' each, we see: (fri->thurs)

Week  0: 0 (dec 31->jan 6)
Week  1: 0
Week  2: 0
Week  3: 0
Week  4: 0
Week  5: 0
Week  6: 1
Week  7: 0
Week  8: 2 (feb 11->feb 17)
Week  9: 6
Week 10: 5
Week 11: 5
Week 12: 5
Week 13:12 (mar 17->mar 23)
Week 14: 5 (first 1.5 days)

Anyone have clues about what piece of brokenware has suddenly decided to
start doing these lookups (to which they never get answers), and what
triggers it to look for certain addresses? I would also be curious about
the magical leaking 169.254 source addresses.

Jeff Carter
jeffc () shore net

==Log data follows==

[Timestamps are US/Eastern, GMT-0500, synchronized via NTP]
Feb  4 17:28:54 drop in udp 63.76.77.22:137 209.58.151.30:137 (78)
Feb 15 22:16:50 drop in udp 202.72.156.37:137 209.58.151.30:137 (78)
Feb 15 22:16:52 drop in udp 202.72.156.37:137 209.58.151.30:137 (78)
Feb 15 22:16:52 drop in udp 169.254.4.114:137 209.58.151.30:137 (78)
Feb 15 22:16:53 drop in udp 202.72.156.37:137 209.58.151.30:137 (78)
Feb 15 22:16:53 drop in udp 169.254.4.114:137 209.58.151.30:137 (78)
Feb 17 19:18:17 drop in udp 207.215.90.93:137 209.58.151.30:137 (78)
Feb 18 08:47:33 drop in udp 210.55.13.37:137 209.58.151.30:137 (78)
Feb 20 00:21:19 drop in udp 208.134.41.8:137 209.58.151.30:137 (78)
Feb 23 01:16:12 drop in udp 209.237.3.44:137 209.58.151.30:137 (78)
Feb 23 19:07:13 drop in udp 207.171.143.80:137 209.58.151.30:137 (78)
Feb 24 12:18:27 drop in udp 208.137.34.48:137 209.58.151.30:137 (78)
Feb 24 13:30:04 drop in udp 204.216.248.83:137 209.58.151.30:137 (78)
Feb 25 10:29:25 drop in udp 206.31.14.98:137 209.58.151.30:137 (78)
Feb 25 12:41:32 drop in udp 205.217.124.5:137 209.58.151.30:137 (78)
Feb 25 18:41:20 drop in udp 208.137.34.48:137 209.58.151.30:137 (78)
Mar  2 05:22:57 drop in udp 206.127.248.27:137 209.58.151.30:137 (78)
Mar  2 16:43:05 drop in udp 209.220.61.116:137 209.58.151.30:137 (78)
Mar  3 17:03:39 drop in udp 216.244.20.57:137 209.58.151.30:137 (78)
Mar  3 17:03:41 drop in udp 169.254.4.24:137 209.58.151.30:137 (78)
Mar  3 17:03:41 drop in udp 216.244.20.57:137 209.58.151.30:137 (78)
Mar  3 17:03:42 drop in udp 169.254.4.24:137 209.58.151.30:137 (78)
Mar  3 17:03:42 drop in udp 216.244.20.57:137 209.58.151.30:137 (78)
Mar  3 17:47:25 drop in udp 204.233.56.42:137 209.58.151.30:137 (78)
Mar  7 02:29:39 drop in udp 208.41.110.60:137 209.58.151.30:137 (78)
Mar  7 03:32:46 drop in udp 207.178.176.35:137 209.58.151.30:137 (78)
Mar  9 17:24:51 drop in udp 63.192.39.167:137 209.58.151.30:137 (78)
Mar  9 22:03:20 drop in udp 204.244.117.46:137 209.58.151.30:137 (78)
Mar 10 10:35:46 drop in udp 209.110.230.223:137 209.58.151.30:137 (78)
Mar 10 10:35:46 drop in udp 169.254.7.158:137 209.58.151.30:137 (78)
Mar 10 10:35:48 drop in udp 209.110.230.223:137 209.58.151.30:137 (78)
Mar 10 10:35:48 drop in udp 169.254.7.158:137 209.58.151.30:137 (78)
Mar 10 10:35:49 drop in udp 209.110.230.223:137 209.58.151.30:137 (78)
Mar 10 10:35:49 drop in udp 169.254.7.158:137 209.58.151.30:137 (78)
Mar 14 14:26:19 drop in udp 207.212.98.142:137 209.58.151.30:137 (78)
Mar 15 01:05:12 drop in udp 209.20.244.92:137 209.58.151.30:137 (78)
Mar 15 16:46:44 drop in udp 207.55.120.154:137 209.58.151.30:137 (78)
Mar 18 10:03:49 drop in udp 212.252.209.117:137 209.58.151.30:137 (78)
Mar 18 10:03:51 drop in udp 169.254.47.26:137 209.58.151.30:137 (78)
Mar 18 10:03:51 drop in udp 212.252.209.117:137 209.58.151.30:137 (78)
Mar 18 10:03:53 drop in udp 169.254.47.26:137 209.58.151.30:137 (78)
Mar 18 10:03:53 drop in udp 212.252.209.117:137 209.58.151.30:137 (78)
Mar 20 11:39:24 drop in udp 209.4.2.217:137 209.58.151.30:137 (78)
Mar 21 07:29:46 drop in udp 210.207.243.89:137 209.58.151.30:137 (78)
Mar 21 15:07:42 drop in udp 208.58.34.58:137 209.58.151.30:137 (78)
Mar 22 05:15:23 drop in udp 209.146.253.179:137 209.58.151.30:137 (78)
Mar 22 09:33:40 drop in udp 209.135.236.38:137 209.58.151.30:137 (78)
Mar 22 19:29:43 drop in udp 205.250.140.125:137 209.58.151.30:137 (78)
Mar 22 19:59:23 drop in udp 24.30.138.227:137 209.58.151.30:137 (78)
Mar 23 08:37:25 drop in udp 206.254.25.33:137 209.58.151.30:137 (78)
Mar 23 09:28:47 drop in udp 207.112.4.136:137 209.58.151.30:137 (78)
Mar 23 11:40:46 drop in udp 204.253.4.107:137 209.58.151.30:137 (78)
Mar 23 15:33:17 drop in udp 207.212.76.106:137 209.58.151.30:137 (78)
Mar 24 11:54:38 drop in udp 203.236.105.23:137 209.58.151.30:137 (78)
Mar 24 21:04:18 drop in udp 216.244.18.137:137 209.58.151.30:137 (78)
Mar 24 22:44:55 drop in udp 207.228.5.142:137 209.58.151.30:137 (78)
Mar 25 06:33:45 drop in udp 24.92.246.37:137 209.58.151.30:137 (78)
Mar 25 10:44:50 drop in udp 209.53.11.121:137 209.58.151.30:137 (78)
Previous By Date Next
Previous By Thread Next

Current thread: