Home page logo
/

nanog logo nanog mailing list archives

Re: UDP port 137 Question
From: gary flynn <gary () habanero jmu edu>
Date: Tue, 6 Jan 1998 14:51:38 -0500

From: "C. Jon Larsen" <jlarsen () ford ajtech com>

Is there any *valid* reason to see UDP traffic directed at a unix box's
port 137 coming from IP sources across the internet ? The unix servers in
question are most definitely *not* running samba, and there is absolutely
no NT anywhere on this customer's network (that is seeing the incoming UDP
traffic directed at an IP destination address on port 137). (A couple
of 95 boxes scattered across an Ethernet comprise the Micro$oft part of
the network). None of the 95 boxen are running any file or print serving
(sharing) resources.

I can't think of any valid reason to see this traffic, personally. Anybody
out there that can present a scenario where I would expect to see these
UDP packets coming back in ?

netbios-ns      137/tcp         nbns
netbios-ns      137/udp         nbns
netbios-dgm     138/tcp         nbdgm
netbios-dgm     138/udp         nbdgm
netbios-ssn     139/tcp         nbssn

Windows boxes will attempt name resolution using whatever
protocols are configured...TCP/IP, Netbios, Netbios/TCP, Netbios/IPX,
etc. Our name servers and some other public boxes are hit all
the time because of this. (A campus WINS server would really
cut down on this but we haven't got around to it yet.)

I've seen a *LOT* of LAND attacks using these ports too. (i.e.
134.126.1.2 port 137 -> 134.126.1.2 port 137) Is the source
address and port the same as the destination?

I also seem to recall that using a Web browser (IE only?) on a Windows
client with TCP and Netbios configured will hit these ports but I don't 
remember the details.

If the Win95 boxes are browsing exterior NT based Web servers,
those servers may be attempting name lookups for the Win95
boxes to the authoritative name servers.

Or someone may just be scanning the network looking for someone with
their C:, N:, etc. drives published to the world with no passwords :)

Gary Flynn
Network Analyst
James Madison University


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault