Security Incidents mailing list archives
Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity
From: billp () ROCKETCASH COM (Bill Pennington)
Date: Wed, 29 Mar 2000 08:40:31 -0800
Besides Robert Grahams excellent list of things that might be causing unwanted UDP/137 traffic another common one I have seen and windows based reporting tools. The cause is most likely not having a reverse DNS for these host. Looking at the log times it seems likely that these are nightly website traffic reports that are kicking off late at night and attempting to look up your machine name ( via rDNS first then via Netbios). What timezone are the log times in? They seem to come in groups of 3 close together which is a good indication that they are lookups. My guess on the second set is that 2 machines are running the same log files. Bryan Andersen wrote:
I too have seen this behavior. I block them at my firewall, but the
numbers have dramatically increased for port 137 scans that hit every
IP# in my micro net address range. Before Feb I'd see one a month at
most.
For the week of * I've seen:
Feb 27: 3
Mar 5: 5
Mar 12: 8
Mar 19: 4
Mar 26: 3 sofar
I have a /30 net routed to me so I see traffic for 4 IP addreesses.
IP# *.18 is my DSL router so I don't see messages to it. I know I
wasn't on the net last night at that time, and the address wasn't
accessing my web server either.
These log events from yesterday are typical of what I'd see:
Mar 27 22:00:25 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
I=63748 F=0x0000 T=112
Mar 27 22:00:27 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
I=5381 F=0x0000 T=112
Mar 27 22:00:28 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
I=5637 F=0x0000 T=112
Mar 27 22:00:36 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
I=58373 F=0x0000 T=112
Mar 27 22:00:37 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
I=58629 F=0x0000 T=112
Mar 27 22:00:39 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
I=59141 F=0x0000 T=112
Mar 27 22:00:57 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
I=4360 F=0x0000 T=112
Mar 27 22:00:58 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
I=4616 F=0x0000 T=112
Mar 27 22:01:00 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
I=4872 F=0x0000 T=112
This is a set from two sites very nicely meshed (Are they
racing each other?):
Mar 23 18:39:48 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
I=29440 F=0x0000 T=111
Mar 23 18:39:48 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
I=29184 F=0x0000 T=111
Mar 23 18:39:50 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
I=29696 F=0x0000 T=111
Mar 23 18:39:50 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
I=29952 F=0x0000 T=111
Mar 23 18:39:51 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
I=30464 F=0x0000 T=111
Mar 23 18:39:51 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
I=30720 F=0x0000 T=111
Mar 23 18:39:59 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
I=32000 F=0x0000 T=113
Mar 23 18:39:59 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
I=32256 F=0x0000 T=111
Mar 23 18:40:01 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
I=32512 F=0x0000 T=113
Mar 23 18:40:01 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
I=32768 F=0x0000 T=111
Mar 23 18:40:02 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
I=33024 F=0x0000 T=113
Mar 23 18:40:02 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
I=33280 F=0x0000 T=111
Mar 23 18:40:23 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
I=38144 F=0x0000 T=111
Mar 23 18:40:23 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
I=38400 F=0x0000 T=111
Mar 23 18:40:25 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
I=38656 F=0x0000 T=111
Mar 23 18:40:25 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
I=38912 F=0x0000 T=111
Mar 23 18:40:26 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
I=39168 F=0x0000 T=111
Mar 23 18:40:26 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
I=39424 F=0x0000 T=111
--
| Bryan Andersen | bryan () visi com | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
-- Bill Pennington Senior IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
Current thread:
- Re: lots of interest in port 109 (POP2), (continued)
- Re: lots of interest in port 109 (POP2) Jon Lewis (Mar 08)
- Re: lots of interest in port 109 (POP2) Pavel Kankovsky (Mar 08)
- Re: lots of interest in port 109 (POP2) Juan M. Courcoul (Mar 08)
- Re: lots of interest in port 109 (POP2) drkn (Mar 14)
- Syn and Fin in different packets together Stuart Staniford-Chen (Mar 21)
- Re: Syn and Fin in different packets together Simple Nomad (Mar 22)
- Re: Syn and Fin in different packets together Granquist, Lamont (Mar 24)
- Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity Jeffrey D. Carter (Mar 25)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Bryan Andersen (Mar 28)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Christoph Schneeberger (Mar 29)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity Bill Pennington (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Pavel Kankovsky (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Joshua Krage (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Greg A. Woods (Mar 29)
- Re: 169.254.x.x Robert Graham (Mar 29)
- Re: 169.254.x.x Pavel Kankovsky (Mar 30)
- Re: lots of interest in port 109 (POP2) Juan M. Courcoul (Mar 08)
- Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael Damm (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Robert Graham (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)