Re: Odd UPD scan

[G.E.Fowler () LBORO AC UK (Graeme Fowler)]

On 17-Mar-2000 Bill Pennington wrote:
> I have seen the same around the networks I watch lately. Since it
> didn't seem like a scan I had seen before (most scans for Netbios
> have a high source port) I hae just been ignoring them. I had also
> noticed that they come in bunches then disappear so I chalked it up to
> something misconfigured somewhere. I would be interested if anyone has
> other ideas about this.

Misconfigured, maybe. Programmatical, almost certainly.

It's a Windoze-ism. We noticed large quantities of these NetBIOS UDP
port 137 packets inbound, particularly to our webserver. A quick nmap
-O showed us that the systems in question were almost always identified
trivially as Windows machines.

When tested in-house, we noticed that these packets came in bunches of
three every time a new connection was established over TCP from machine
to machine. After a little digging we found that the MS Windows IP
stack tries to do a NB name lookup of the destination machine by
probing on the NB-Name Service port (137 UDP), presumably because of
the <ahem> 'integrated' way IE/MS Explorer are now installed on recent
Windows versions.

It's almost as though it can't tell the difference between local and
remote machines. Sigh.

I may have already proffered this as an explanation on this list
recently but I have to tell so many people this one I forget whether I
have or not...

Quick question: If every single MS Windows machine *in the world* is
doinf this, how much bandwidth are they using?

Graeme

--
Graeme Fowler
Network Officer, Infrastructure & Networks Group
Loughborough University Computing Services
+44 1509 228426