Security Incidents mailing list archives

Re: Weird UDP packets

From: DerekB () AMDOCS COM (Derek Becker)
Date: Wed, 8 Mar 2000 08:48:55 -0600


Are you filtering outbound nbt? These may be replies if you're forwarding
nbt broadcasts from your interior machines.

Derek

-----Original Message-----
From: Damian Gerow [mailto:damian () ITACTICS COM]
Sent: Monday, March 06, 2000 2:55 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Weird UDP packets

I've been watching my firewall logs, and in the past week something has
cropped up.  The firewall (all packets _do_ have a destination of the
firewall) is a filtering, forwarding firewall protecting both Linux and
NT servers.  It does not run Samba, only SSH.  The weird part of it is
that packets are coming from port 137 and going to port 137, and always
three packets from a different source each time.  Can anyone help me
with this one?

Mar  3 04:57:42 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=3411 T=112
Mar  3 04:57:43 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=3667 T=112
Mar  3 04:57:45 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=4179 T=112

Mar  4 00:15:42 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=47942 T=110
Mar  4 00:15:43 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=48198 T=110
Mar  4 00:15:45 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=48454 T=110

Mar  4 13:40:06 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28395 T=112
Mar  4 13:40:07 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28651 T=112
Mar  4 13:40:09 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28907 T=112

Mar  5 20:51:03 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=51733 T=122
Mar  5 20:51:04 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=59925 T=122
Mar  5 20:51:06 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=790 T=122

Current thread:

Weird UDP packets Damian Gerow (Mar 06)
- Re: Weird UDP packets Pavel Kankovsky (Mar 08)
  - Re: Weird UDP packets Dragos Ruiu (Mar 08)
- Re: Weird UDP packets Robert Graham (Mar 08)
- <Possible follow-ups>
- Re: Weird UDP packets Rich Corbett (Mar 07)
- Re: Weird UDP packets Derek Becker (Mar 08)