Security Incidents mailing list archives
FROM port 137 TO port 137
From: Bryan Bradsby <Bryan.Bradsby () CAPNET STATE TX US>
Date: Sat, 3 Mar 2001 01:02:37 -0600
There seems to be a great deal of fear, panic, and confusion about packets FROM port 137 TO port 137. If you are getting a small number (say 4) packets per second FROM port 137, and TO port 137, this is not a denial of service. If that is all you have, don't report it to the source ISP until you inspect the contents of the packets and determine the real cause. Some issues to consider are touched on below. Let us consider some possible causes of traffic FROM port 137, and TO port 137. 1. This could be because the remote site has a worm similar to Network.VBS, and is searching for MS Windows open shares http://www.sans.org/newlook/resources/IDFAQ/port_137.htm 2. However this COULD be *perfectly normal* if you make connections to outside networks from your boxes that lack proper forward and reverse DNS entries. 3. Also, if the remote site is using Black Ice Defender, their firewall may be causing these packets, (after your box iniates a connection to their network). The Black Ice firewall is only attempting to get the Netbios host name for an IP that connected to their network to record that data in their logs. One of the best explanations for the port 137 traffic is: http://www.robertgraham.com/pubs/firewall-seen.html#10 Synopsis: If, a box "YYY" on your network initiates a connection to a Win box "ZZZ" (outside your net), the remote box "ZZZ" may attempt to resolve the IP address of "YYY" by looking up the PTR record for "YYY" in your DNS. This is a function call - gethostbyaddress(). If your DNS server does not supply a host name the IP address for "YYY" within 14 seconds, the remote Win box "ZZZ" will attempt Netbios Name resolution for "YYY" by asking "YYY" for Netbios "nodestatus" for the nodename wildcard "*". This behavior is "completely normal" for Windows boxes. If you don't like it, either complain to Bill G, or block ports 135-139. Silently blocking (droping) those packets is a bad thing to do. The proper thing to do is send "icmp port unreach". Neither will stop the packets from coming. Providing proper reverse DNS for all the boxes on your network that will connect to the outside will mean you are doing the right thing, and may reduce some of this traffic. -bryan bradsby
Current thread:
- DNS UDP Dos Attack? James Kelty (Mar 02)
- Re: DNS UDP Dos Attack? Wlodek (Mar 02)
- Re: DNS UDP Dos Attack? Aaron Schultz (Mar 03)
- FROM port 137 TO port 137 Bryan Bradsby (Mar 03)
- Re: DNS UDP Dos Attack? Gary Maltzen (Mar 04)
- Re: DNS UDP Dos Attack? Wlodek (Mar 02)