Re: Windows mystery udp/137 to udp/137

[Brady McClenon <mcclenbw () ONEONTA EDU>]

I'll admit to never trying this, but I thought you could stop a Windows
client's NetBIOS broadcasts by changing the NetBIOS node-type to P-node
(Peer-to-Peer).

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet
/cncd_win_ysph.mspx?mfr=true


Brady McClenon
Administrative Computer Services
State University College at Oneonta
Oneonta, NY  13820



> -----Original Message-----
> From: Jeff Kell [mailto:jeff-kell () UTC EDU]
> Sent: Tuesday, May 22, 2007 10:58 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Windows mystery udp/137 to udp/137
>
> Clyde Hoadley wrote:
> > We have several Windows servers that regularly attempt to send udp
> packets
> > from port 137 to non existent IP address udp port 137.  These get
> > blocked by the firewall.  The Sys Admins haven't been able to figure
> > out why they do it.  Has anyone encountered this problem before?
>
> This is the evil Microsoft empire :-)
>
> Windows machines will constantly chatter on 137 and 138.  As others
> have noted, 137/138 are used by both WINS and NetBIOS local name
> resolution protocol.  They also chatter on 1900 and 5000 (plug-and-
> pray).  And Vista has another newfangled name resolution protocol that
> will probably add more to the background noise.  But back to 137...
> it's very difficult to make it go away.
>
> Part of this "chatter" is broadcast traffic, and it will blast away on
> 255.255.255.255 IP (ffff.ffff.ffff MAC).  Sometimes it will be polite
> enough to only use the network-local broadcast.  But it will
broadcast.
> And any server in range may answer.  I suspect this is where your
> unusual traffic is coming from.  The clients will broadcast from
> whatever address they "think" is theirs, but the destination *is* a
> broadcast, and so it looks reasonable to your server.  In your case it
> appears the clients are misconfigured -- the 169.254 one obviously
> didn't get his DHCP request satisfied, and the 192.168 one might be
> bridging traffic from a private network.  At any rate, unless you are
> routing broadcast traffic (and bear in mind that Cisco's with 'ip
> helper-address' will forward lots of broadcasts by default, not just
> bootp/dhcp), the misconfigured clients are probably on the same subnet
> as the servers.
>
> Only if you see 137 requests in a scanning pattern (lots of them to
> different addresses, usually in the same /8 or /16, non-repetitive)
> would I suspect a virus/worm.  The rest of the 137 stuff is the evil
> empire doing it's thing.
>
> "But I don't have WINS configured".  Doesn't seem to matter.
>
> "But I don't have NetBIOS configured".  Doesn't seem to matter either.
> Certain DHCP options will fire it up for you, especially if your DHCP
> server is a Windows one.
>
> The only "sure-fire, 100% dead-on, absolutely positive" way to keep
> clients from doing this is to disable NetBIOS completely.  This is
done
> from My Computer -> Properties -> Hardware -> Device Manager, then
> View...Show Hidden Devices, then navigate down to Non Plug-and-Play
> Devices, NetBIOS over TCP, right-click and "Disable".
>
> But that is admittedly a little bit overkill and can whack out your
> \\servername\resource references.  If anyone has a better solution I'm
> all ears.
>
> In theory, there is absolutely no reason for any Windows 2000 or
> greater version to need to use ports 137-139 at all.  Since W2K it is
> "supposed to be" doing file sharing on 445 and name resolution through
> DNS.  I would dearly love to just block 137-139 everywhere (well, I'd
> like to add 135, but that seems to be an impossibility), but everytime
> I try, something comes up broken or the Windows admins yell that
> something stopped working.
>
> It's kinda like IPX or Appletalk... took 20 years to make them finally
> go away...
>
> Jeff