Re: many attempts to Port 137 (NetBIOS-NameService)

[Robert Graham <robert_david_graham () yahoo com>]

I wouldn't be worried:
http://www.robertgraham.com/pubs/firewall-seen.html#port137

Are the source ports 137 as well? A 137->137 packet is almost certainly a
request from a Windows machine, or a response. For example, you might have a
machine internally sending out NetBIOS requests, and these might be the
responses.

Alternatively, for some reason, these might be Windows machines trying to do a
reverse DNS lookup on your machine. If the DNS server doesn't respond in a
timely manner, Windows machines will give up and try a NetBIOS query to resolve
your name. This is part of Microsoft's Winsock implementation, so it is an OS
thing rather than an application thing. I know this is weird advice: check your
DNS server, it may fix the problem.

In any event, grab a packet sniffer (like tcpdump, which is probably installed
by default on your Linux box) and capture the packets to a file. If you send me
the file; I could probably figure out what these NetBIOS packets are looking
for (warning: you would be disclosing sensitive info if you did this).

Rob.

--- Joerg Walter <joerg.walter () members debis at> wrote:
> Hi folks,
> I discovered a strange thing on a Firewall (IPCHAINS-based, RedHat 6.0,
> Kernel 2.2.12-20). There are lots of connect-attempts to this machine to Port
> 137 (NetBIOS-NameService). These attempts are blocked but nethertheless I'm
> wondering, since the source of these packets are addresses throughout Europe
> and they doesn't seem to be broadcasts (destination address is exactly that
> machine). 
> We have some other Firewalls set up just the same on the same network and
> they don't get these packets...
>
> Is this something to be worried about?

=====
Robert Graham  http://www.robertgraham.com/pubs
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com