Home page logo

nanog logo nanog mailing list archives

Re: UDP port 137 Question
From: "C. Jon Larsen" <jlarsen () ajtech com>
Date: Tue, 6 Jan 1998 14:56:15 -0500 (EST)


Good point that nobody else mentioned. Since the network number
is freshly allocated, I believe (not recycled), I'm pretty sure that this
is not the case *this* time.

Anyway, I'm filing away all of the interesting responses. The port 137/UDP
traffic may indeed be harmless. Some other packets I'm now seeing (port
139/TCP, 1-2 packets, from different source IPs) seem to indicate this may
be more than Micro$oft misconfiguration . . .

On Tue, 6 Jan 1998, Eric Germann wrote:

The other less paranoid scenario is they were renumbered and didn't update
some server mappings in WINS or LMHOSTS and you were lucky enough to get
their old space.


At 10:52 AM 1/6/98 -0800, Dalvenjah FoxFire wrote:
C. Jon Larsen put this into my mailbox:

Is there any *valid* reason to see UDP traffic directed at a unix box's
port 137 coming from IP sources across the internet ? The unix servers in
question are most definitely *not* running samba, and there is absolutely
no NT anywhere on this customer's network (that is seeing the incoming UDP
traffic directed at an IP destination address on port 137). (A couple
of 95 boxes scattered across an Ethernet comprise the Micro$oft part of
the network). None of the 95 boxen are running any file or print serving
(sharing) resources.

I can't think of any valid reason to see this traffic, personally. Anybody
out there that can present a scenario where I would expect to see these
UDP packets coming back in ?

No. Doubtless some idiot thinks everybody runs WinDoze and is trying to
winnuke you, especially if several boxes get hit one after the other.
E-mail the contacts of the source address and ask that the account
be removed; chances are the person wasn't clueful enough to spoof the
source address.


Dalvenjah FoxFire (aka Sven Nielsen) "Hath not a dude eyes? If you prick us,
Founder, the DALnet IRC Network       do we not get bummed? If we eat bad
                                      guacamole, do we not blow chunks?"
e-mail: dalvenjah () dal net              - Keanu Reeves as Shylock in The
whois: SN90                      WWW: http://www.dal.net/~dalvenjah/  

Eric Germann                          Computer and Communications Technologies
ekgermann () cctec com                        Van Wert, OH 45891
                                      Phone:  419 968 2640
http://www.cctec.com                  Fax:    419 968 2641

Network Design, Connectivity & System Integration Services 
A Microsoft Solution Provider                                 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]