Firewall Wizards mailing list archives
Re: many attempts to Port 137 (NetBIOS-NameService)
From: "Chuck O'Donnell" <cao () bus net>
Date: Fri, 18 Feb 2000 18:34:22 -0500
On Wed, Feb 16, 2000 at 05:29:16PM -0800, Bill Pennington wrote:
My guess would be that this are harmless packets getting set to you by IIS servers and other NT based web reporting tools. Normally them come in groups of 3. IIS and other tools attempt to collect additional info from you when you access an IIS site. They do this via Netbios. However I am seeing hundreds on UDP/137 attempts from a single IP address in a very short period of time. I can't figure out why someone would want to do that since I am silently dropping them at the firewall. Must be some new toy the script kiddies have these days. Hope that helps! If anyone has a clue on the UDP/137 flood let me know.
I see the random ones all the time from different IPs, which I agree are normal. The destination address is usually a web server on our network. But I do occasionally (couple times a week or so) see a flood of packets to port 137, and running the length of one of our class C's as the destination address. It would seem like a bulk scan for open NetBIOS services. Chuck
Joerg Walter wrote: Hi folks, I discovered a strange thing on a Firewall (IPCHAINS-based, RedHat 6.0, Kernel 2.2.12-20). There are lots of connect-attempts to this machine to Port 137 (NetBIOS-NameService). These attempts are blocked but nethertheless I'm wondering, since the source of these packets are addresses throughout Europe and they doesn't seem to be broadcasts (destination address is exactly that machine). We have some other Firewalls set up just the same on the same network and they don't get these packets... Is this something to be worried about?-- Bill Pennington IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
Current thread:
- many attempts to Port 137 (NetBIOS-NameService) Joerg Walter (Feb 16)
- Re: many attempts to Port 137 (NetBIOS-NameService) Bill Pennington (Feb 17)
- Re: many attempts to Port 137 (NetBIOS-NameService) Chuck O'Donnell (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Philip J. Koenig (Feb 23)
- Re: many attempts to Port 137 (NetBIOS-NameService) K. Graham (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Chuck O'Donnell (Feb 19)
- <Possible follow-ups>
- Re: many attempts to Port 137 (NetBIOS-NameService) Robert Graham (Feb 17)
- Re: Re: many attempts to Port 137 (NetBIOS-NameService) Joerg Walter (Feb 17)
- Re: many attempts to Port 137 (NetBIOS-NameService) K. Graham (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Bill Pennington (Feb 17)