Re: Windows mystery udp/137 to udp/137

["Vanderbilt, Teresa" <tvanderb () OZARKS EDU>]

I think I finally stopped the traffic at my site. I found these posts on
the internet and decided to try it.
http://www.the-collective.net/networklog/
http://lists.sans.org/pipermail/list/2005-January/019040.html

The underlying cause may very well be Wins but I don't want to turn that
off my DC's as I do have a few downlevel clients still in the field.

I have a Cisco Pix 515 firewall and didn't have arp turned off on all
the interfaces.

Sysopt noproxyarp int1 (substitute your own interface name for int1)
Sysopt noproxyarp outside
Sysopt noproxyarp dmz1

Then, save your configuration and "cl arp".

Thanks for all the input and I hope this helps someone else.

Teresa


-----Original Message-----
From: Brady McClenon [mailto:mcclenbw () ONEONTA EDU] 
Sent: Tuesday, May 22, 2007 10:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows mystery udp/137 to udp/137

I'll admit to never trying this, but I thought you could stop a Windows
client's NetBIOS broadcasts by changing the NetBIOS node-type to P-node
(Peer-to-Peer).

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet
/cncd_win_ysph.mspx?mfr=true


Brady McClenon
Administrative Computer Services
State University College at Oneonta
Oneonta, NY  13820



> -----Original Message-----
> From: Jeff Kell [mailto:jeff-kell () UTC EDU]
> Sent: Tuesday, May 22, 2007 10:58 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Windows mystery udp/137 to udp/137
>
> Clyde Hoadley wrote:
> > We have several Windows servers that regularly attempt to send udp
> packets
> > from port 137 to non existent IP address udp port 137.  These get 
> > blocked by the firewall.  The Sys Admins haven't been able to figure

> > out why they do it.  Has anyone encountered this problem before?
>
> This is the evil Microsoft empire :-)
>
> Windows machines will constantly chatter on 137 and 138.  As others 
> have noted, 137/138 are used by both WINS and NetBIOS local name 
> resolution protocol.  They also chatter on 1900 and 5000 (plug-and- 
> pray).  And Vista has another newfangled name resolution protocol that

> will probably add more to the background noise.  But back to 137...
> it's very difficult to make it go away.
>
> Part of this "chatter" is broadcast traffic, and it will blast away on
> 255.255.255.255 IP (ffff.ffff.ffff MAC).  Sometimes it will be polite 
> enough to only use the network-local broadcast.  But it will
broadcast.
> And any server in range may answer.  I suspect this is where your 
> unusual traffic is coming from.  The clients will broadcast from 
> whatever address they "think" is theirs, but the destination *is* a 
> broadcast, and so it looks reasonable to your server.  In your case it

> appears the clients are misconfigured -- the 169.254 one obviously 
> didn't get his DHCP request satisfied, and the 192.168 one might be 
> bridging traffic from a private network.  At any rate, unless you are 
> routing broadcast traffic (and bear in mind that Cisco's with 'ip 
> helper-address' will forward lots of broadcasts by default, not just 
> bootp/dhcp), the misconfigured clients are probably on the same subnet

> as the servers.
>
> Only if you see 137 requests in a scanning pattern (lots of them to 
> different addresses, usually in the same /8 or /16, non-repetitive) 
> would I suspect a virus/worm.  The rest of the 137 stuff is the evil 
> empire doing it's thing.
>
> "But I don't have WINS configured".  Doesn't seem to matter.
>
> "But I don't have NetBIOS configured".  Doesn't seem to matter either.
> Certain DHCP options will fire it up for you, especially if your DHCP 
> server is a Windows one.
>
> The only "sure-fire, 100% dead-on, absolutely positive" way to keep 
> clients from doing this is to disable NetBIOS completely.  This is
done
> from My Computer -> Properties -> Hardware -> Device Manager, then 
> View...Show Hidden Devices, then navigate down to Non Plug-and-Play 
> Devices, NetBIOS over TCP, right-click and "Disable".
>
> But that is admittedly a little bit overkill and can whack out your 
> \\servername\resource references.  If anyone has a better solution I'm

> all ears.
>
> In theory, there is absolutely no reason for any Windows 2000 or 
> greater version to need to use ports 137-139 at all.  Since W2K it is 
> "supposed to be" doing file sharing on 445 and name resolution through

> DNS.  I would dearly love to just block 137-139 everywhere (well, I'd 
> like to add 135, but that seems to be an impossibility), but everytime

> I try, something comes up broken or the Windows admins yell that 
> something stopped working.
>
> It's kinda like IPX or Appletalk... took 20 years to make them finally

> go away...
>
> Jeff