nanog mailing list archives
Re: UDP port 137 Question
From: gary flynn <gary () habanero jmu edu>
Date: Tue, 6 Jan 1998 14:51:38 -0500
From: "C. Jon Larsen" <jlarsen () ford ajtech com> Is there any *valid* reason to see UDP traffic directed at a unix box's port 137 coming from IP sources across the internet ? The unix servers in question are most definitely *not* running samba, and there is absolutely no NT anywhere on this customer's network (that is seeing the incoming UDP traffic directed at an IP destination address on port 137). (A couple of 95 boxes scattered across an Ethernet comprise the Micro$oft part of the network). None of the 95 boxen are running any file or print serving (sharing) resources. I can't think of any valid reason to see this traffic, personally. Anybody out there that can present a scenario where I would expect to see these UDP packets coming back in ? netbios-ns 137/tcp nbns netbios-ns 137/udp nbns netbios-dgm 138/tcp nbdgm netbios-dgm 138/udp nbdgm netbios-ssn 139/tcp nbssn
Windows boxes will attempt name resolution using whatever protocols are configured...TCP/IP, Netbios, Netbios/TCP, Netbios/IPX, etc. Our name servers and some other public boxes are hit all the time because of this. (A campus WINS server would really cut down on this but we haven't got around to it yet.) I've seen a *LOT* of LAND attacks using these ports too. (i.e. 134.126.1.2 port 137 -> 134.126.1.2 port 137) Is the source address and port the same as the destination? I also seem to recall that using a Web browser (IE only?) on a Windows client with TCP and Netbios configured will hit these ports but I don't remember the details. If the Win95 boxes are browsing exterior NT based Web servers, those servers may be attempting name lookups for the Win95 boxes to the authoritative name servers. Or someone may just be scanning the network looking for someone with their C:, N:, etc. drives published to the world with no passwords :) Gary Flynn Network Analyst James Madison University
Current thread:
- Re: UDP port 137 Question, (continued)
- Re: UDP port 137 Question Melody Yoon (Jan 06)
- Re: UDP port 137 Question Bryce Ryan (Jan 06)
- Re: UDP port 137 Question Melody Yoon (Jan 06)
- Re: UDP port 137 Question Rick H. Wesson (Jan 06)
- Re: UDP port 137 Question DAVE NORDLUND (Jan 08)
- Re: UDP port 137 Question James Stephens (Jan 06)
- Re: UDP port 137 Question Bryce Ryan (Jan 06)
- Re: UDP port 137 Question Melody Yoon (Jan 06)
- Re: UDP port 137 Question DAVE NORDLUND (Jan 06)
- Re: UDP port 137 Question Eric Germann (Jan 06)
- Re: UDP port 137 Question DAVE NORDLUND (Jan 08)
- Re: UDP port 137 Question Eric Germann (Jan 06)
- Re: UDP port 137 Question Henry Linneweh (Jan 07)
- Re: UDP port 137 Question gary flynn (Jan 06)
- Re: UDP port 137 Question Joe Pruett (Jan 06)
- Message not available
- Re: UDP port 137 Question Jay R. Ashworth (Jan 06)
- Message not available
- Re: UDP port 137 Question Eric Germann (Jan 07)