Security Incidents mailing list archives
Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity
From: jeffc () SHORE NET (Jeffrey D. Carter)
Date: Sat, 25 Mar 2000 13:56:28 -0500
I apologize for the volume of this particular log extract, but I believe there is an important trend here that deserves further study and correlation checking. My offhand guess is some new, stupid, Windows 2000 behavior, but my only evidence is that this involves a MS specific protocol, and the strange activity went from near zero to fast-growing about Feb 15. The logs below represent every single UDP port 137 probe received at the destination address (209.58.151.30) since a few minutes after midnight Dec 31, 1999 to March 25, 2000 (a period of about 86 days). During that time, I have received 58 probes to this address. Notice that exactly zero of these probes were received during the first 35 days covered (all of the month of January plus a few). I know where UDP 137 queries historically come from: some Microsoft O/Ses, expecially if misconfigured, will query NetBIOS Name Service instead of rDNS. Even more-correctly configured ones will consult NetBIOS NS if the rDNS lookup fails. This behavior explains Port 137 probes seen from Internet servers: when a browser, mail client, or other network application accesses a server, the server may attempt to perform name resolution based on the IP address, and will cause (if there are configuration errors or rDNS failures) NetBIOS name lookups. However, the source addresses below do not represent network servers (some of them are dialup ports, and others are residential DSL and Cable modems according to _their_ rDNS), and many of them occurred when I can unequivocally state that no outbound acces to _any_ network server was occurring in close proximity to the probe (I rarely surf at 5AM local time, for instance). In addition, there has been no interruption of rDNS service since it was established for this address last year (resulting in a dramatic reduction in Port 137 probes at the time). And there are NO accessible services at this address. There is one other anomoly in the data below: 4 of the probe clumps include an interleaved series of a remote address and an address in the 169.254.0.0 netblock. These couldn't possibly be coincidence given the timing (137 probes generally arrive in clumps of 3: these duplicates are eliminated in the sequence below _except_ in the cases where probes were seen from multiple sources simultaneously). Note the groups at Feb 15, Mar 3, Mar 10, and Mar 18. This is significant because netblock 169.254 is reserved for internal network usage, and should never be routed over the Internet. This particular pattern is responsible for 20 of the 58 probes shown here (at 5 packets per). So, if we look at weekly volume, folding the interleaved 169.254 stuff down to one 'probe' each, we see: (fri->thurs) Week 0: 0 (dec 31->jan 6) Week 1: 0 Week 2: 0 Week 3: 0 Week 4: 0 Week 5: 0 Week 6: 1 Week 7: 0 Week 8: 2 (feb 11->feb 17) Week 9: 6 Week 10: 5 Week 11: 5 Week 12: 5 Week 13:12 (mar 17->mar 23) Week 14: 5 (first 1.5 days) Anyone have clues about what piece of brokenware has suddenly decided to start doing these lookups (to which they never get answers), and what triggers it to look for certain addresses? I would also be curious about the magical leaking 169.254 source addresses. Jeff Carter jeffc () shore net ==Log data follows== [Timestamps are US/Eastern, GMT-0500, synchronized via NTP] Feb 4 17:28:54 drop in udp 63.76.77.22:137 209.58.151.30:137 (78) Feb 15 22:16:50 drop in udp 202.72.156.37:137 209.58.151.30:137 (78) Feb 15 22:16:52 drop in udp 202.72.156.37:137 209.58.151.30:137 (78) Feb 15 22:16:52 drop in udp 169.254.4.114:137 209.58.151.30:137 (78) Feb 15 22:16:53 drop in udp 202.72.156.37:137 209.58.151.30:137 (78) Feb 15 22:16:53 drop in udp 169.254.4.114:137 209.58.151.30:137 (78) Feb 17 19:18:17 drop in udp 207.215.90.93:137 209.58.151.30:137 (78) Feb 18 08:47:33 drop in udp 210.55.13.37:137 209.58.151.30:137 (78) Feb 20 00:21:19 drop in udp 208.134.41.8:137 209.58.151.30:137 (78) Feb 23 01:16:12 drop in udp 209.237.3.44:137 209.58.151.30:137 (78) Feb 23 19:07:13 drop in udp 207.171.143.80:137 209.58.151.30:137 (78) Feb 24 12:18:27 drop in udp 208.137.34.48:137 209.58.151.30:137 (78) Feb 24 13:30:04 drop in udp 204.216.248.83:137 209.58.151.30:137 (78) Feb 25 10:29:25 drop in udp 206.31.14.98:137 209.58.151.30:137 (78) Feb 25 12:41:32 drop in udp 205.217.124.5:137 209.58.151.30:137 (78) Feb 25 18:41:20 drop in udp 208.137.34.48:137 209.58.151.30:137 (78) Mar 2 05:22:57 drop in udp 206.127.248.27:137 209.58.151.30:137 (78) Mar 2 16:43:05 drop in udp 209.220.61.116:137 209.58.151.30:137 (78) Mar 3 17:03:39 drop in udp 216.244.20.57:137 209.58.151.30:137 (78) Mar 3 17:03:41 drop in udp 169.254.4.24:137 209.58.151.30:137 (78) Mar 3 17:03:41 drop in udp 216.244.20.57:137 209.58.151.30:137 (78) Mar 3 17:03:42 drop in udp 169.254.4.24:137 209.58.151.30:137 (78) Mar 3 17:03:42 drop in udp 216.244.20.57:137 209.58.151.30:137 (78) Mar 3 17:47:25 drop in udp 204.233.56.42:137 209.58.151.30:137 (78) Mar 7 02:29:39 drop in udp 208.41.110.60:137 209.58.151.30:137 (78) Mar 7 03:32:46 drop in udp 207.178.176.35:137 209.58.151.30:137 (78) Mar 9 17:24:51 drop in udp 63.192.39.167:137 209.58.151.30:137 (78) Mar 9 22:03:20 drop in udp 204.244.117.46:137 209.58.151.30:137 (78) Mar 10 10:35:46 drop in udp 209.110.230.223:137 209.58.151.30:137 (78) Mar 10 10:35:46 drop in udp 169.254.7.158:137 209.58.151.30:137 (78) Mar 10 10:35:48 drop in udp 209.110.230.223:137 209.58.151.30:137 (78) Mar 10 10:35:48 drop in udp 169.254.7.158:137 209.58.151.30:137 (78) Mar 10 10:35:49 drop in udp 209.110.230.223:137 209.58.151.30:137 (78) Mar 10 10:35:49 drop in udp 169.254.7.158:137 209.58.151.30:137 (78) Mar 14 14:26:19 drop in udp 207.212.98.142:137 209.58.151.30:137 (78) Mar 15 01:05:12 drop in udp 209.20.244.92:137 209.58.151.30:137 (78) Mar 15 16:46:44 drop in udp 207.55.120.154:137 209.58.151.30:137 (78) Mar 18 10:03:49 drop in udp 212.252.209.117:137 209.58.151.30:137 (78) Mar 18 10:03:51 drop in udp 169.254.47.26:137 209.58.151.30:137 (78) Mar 18 10:03:51 drop in udp 212.252.209.117:137 209.58.151.30:137 (78) Mar 18 10:03:53 drop in udp 169.254.47.26:137 209.58.151.30:137 (78) Mar 18 10:03:53 drop in udp 212.252.209.117:137 209.58.151.30:137 (78) Mar 20 11:39:24 drop in udp 209.4.2.217:137 209.58.151.30:137 (78) Mar 21 07:29:46 drop in udp 210.207.243.89:137 209.58.151.30:137 (78) Mar 21 15:07:42 drop in udp 208.58.34.58:137 209.58.151.30:137 (78) Mar 22 05:15:23 drop in udp 209.146.253.179:137 209.58.151.30:137 (78) Mar 22 09:33:40 drop in udp 209.135.236.38:137 209.58.151.30:137 (78) Mar 22 19:29:43 drop in udp 205.250.140.125:137 209.58.151.30:137 (78) Mar 22 19:59:23 drop in udp 24.30.138.227:137 209.58.151.30:137 (78) Mar 23 08:37:25 drop in udp 206.254.25.33:137 209.58.151.30:137 (78) Mar 23 09:28:47 drop in udp 207.112.4.136:137 209.58.151.30:137 (78) Mar 23 11:40:46 drop in udp 204.253.4.107:137 209.58.151.30:137 (78) Mar 23 15:33:17 drop in udp 207.212.76.106:137 209.58.151.30:137 (78) Mar 24 11:54:38 drop in udp 203.236.105.23:137 209.58.151.30:137 (78) Mar 24 21:04:18 drop in udp 216.244.18.137:137 209.58.151.30:137 (78) Mar 24 22:44:55 drop in udp 207.228.5.142:137 209.58.151.30:137 (78) Mar 25 06:33:45 drop in udp 24.92.246.37:137 209.58.151.30:137 (78) Mar 25 10:44:50 drop in udp 209.53.11.121:137 209.58.151.30:137 (78)
Current thread:
- lots of interest in port 109 (POP2) Russell Fulton (Mar 05)
- Re: lots of interest in port 109 (POP2) harikiri (Mar 07)
- Re: lots of interest in port 109 (POP2) Jon Lewis (Mar 08)
- Re: lots of interest in port 109 (POP2) Pavel Kankovsky (Mar 08)
- Re: lots of interest in port 109 (POP2) Juan M. Courcoul (Mar 08)
- Re: lots of interest in port 109 (POP2) drkn (Mar 14)
- Syn and Fin in different packets together Stuart Staniford-Chen (Mar 21)
- Re: Syn and Fin in different packets together Simple Nomad (Mar 22)
- Re: Syn and Fin in different packets together Granquist, Lamont (Mar 24)
- Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity Jeffrey D. Carter (Mar 25)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Bryan Andersen (Mar 28)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Christoph Schneeberger (Mar 29)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity Bill Pennington (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Pavel Kankovsky (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Joshua Krage (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Greg A. Woods (Mar 29)
- Re: 169.254.x.x Robert Graham (Mar 29)
- Re: 169.254.x.x Pavel Kankovsky (Mar 30)
- Re: lots of interest in port 109 (POP2) Juan M. Courcoul (Mar 08)
- Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael Damm (Mar 30)
- Re: lots of interest in port 109 (POP2) harikiri (Mar 07)