Security Incidents mailing list archives
Re: FROM port 137 TO port 137
From: Erwin Geirnaert <egeirnaert () REFERENCE BE>
Date: Mon, 5 Mar 2001 09:03:31 +0100
Hi Bryan I may add to this that there is a new tool available called ShareSniffer (www.sharesniffer.com) that will scan a network for open shares. They promote it as the ultimate Napster program. So I think that there will be an increase of those scans on port 137. But that shouldn't be to hard to filter on the border-router or with a personal firewall. Erwin -----Original Message----- From: Bryan Bradsby [mailto:Bryan.Bradsby () CAPNET STATE TX US] Sent: zaterdag 3 maart 2001 8:03 To: INCIDENTS () SECURITYFOCUS COM Subject: FROM port 137 TO port 137 There seems to be a great deal of fear, panic, and confusion about packets FROM port 137 TO port 137. If you are getting a small number (say 4) packets per second FROM port 137, and TO port 137, this is not a denial of service. If that is all you have, don't report it to the source ISP until you inspect the contents of the packets and determine the real cause. Some issues to consider are touched on below. Let us consider some possible causes of traffic FROM port 137, and TO port 137. 1. This could be because the remote site has a worm similar to Network.VBS, and is searching for MS Windows open shares http://www.sans.org/newlook/resources/IDFAQ/port_137.htm 2. However this COULD be *perfectly normal* if you make connections to outside networks from your boxes that lack proper forward and reverse DNS entries. 3. Also, if the remote site is using Black Ice Defender, their firewall may be causing these packets, (after your box iniates a connection to their network). The Black Ice firewall is only attempting to get the Netbios host name for an IP that connected to their network to record that data in their logs. One of the best explanations for the port 137 traffic is: http://www.robertgraham.com/pubs/firewall-seen.html#10 Synopsis: If, a box "YYY" on your network initiates a connection to a Win box "ZZZ" (outside your net), the remote box "ZZZ" may attempt to resolve the IP address of "YYY" by looking up the PTR record for "YYY" in your DNS. This is a function call - gethostbyaddress(). If your DNS server does not supply a host name the IP address for "YYY" within 14 seconds, the remote Win box "ZZZ" will attempt Netbios Name resolution for "YYY" by asking "YYY" for Netbios "nodestatus" for the nodename wildcard "*". This behavior is "completely normal" for Windows boxes. If you don't like it, either complain to Bill G, or block ports 135-139. Silently blocking (droping) those packets is a bad thing to do. The proper thing to do is send "icmp port unreach". Neither will stop the packets from coming. Providing proper reverse DNS for all the boxes on your network that will connect to the outside will mean you are doing the right thing, and may reduce some of this traffic. -bryan bradsby
Current thread:
- Re: FROM port 137 TO port 137 Erwin Geirnaert (Mar 05)