Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 2 Dec 2000 13:36:52 +0300
From:      Vladimir Dubrovin <vlad@sandy.ru>
To:        Melon <melon@orangenetwork.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: 137/udp
Message-ID:  <28146581553.20001202133652@sandy.ru>
In-Reply-To: <3A26A013136.BF8AMELON@postman.orangenetwork.net>
References:  <3A26A013136.BF8AMELON@postman.orangenetwork.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello Melon,

I'm little bit late, but hope this information will help you.

As  it  was  correctly  noted by few authors Windows uses NetBIOS name
resolution  in  the  process  of  name resolution. You can get UDP/137
packet  every time then someone from windows box tries to resolve your
IP  to name. It was incorrectly noted, that it will happen if you have
Windows  client. In fact, usually you can get this packet then you try
to  connect  Windows  server,  for example then you connect IIS server
while  browsing  WWW. Then this packets sent from windows box you will
have  both  SRC  and DST ports UDP/137. If you have different SRC port
-someone  is  probably  scanning  your  network (or this box is behind
NAT).

NetBIOS  name  resolution is a valid process defined by RFC 1000/1001.
Windows  host  can  also  use this protocol instead of ident, since it
allows to find active user of windows box.

P.S. If you prefer to filter this packets with ipfw it's better to use
"unreach  port"  instead  of  "deny" since it can eliminate timeout of
remote host in name resolution process.

-- 
   Vladimir Dubrovin                  Sandy, ISP
    Sandy CCd chief               Customers Care dept
  http://www.sandy.ru           Nizhny Novgorod, Russia
 
http://www.security.nnov.ru


30.11.2000 21:44, you wrote: 137/udp;

M> Hello,

M> All network administrator may always see rejected 137/udp packet...

M> I want to know how these udp packets are occured?
M> I expect some stupid kids attacked me. However, is there any exception?

M> Someone sent only 3 137/udp packets to specific IP address. In general,
M> these stupid does not sent to specific IP address, sent to all IP
M> addresses I have.

M> Any suggestions appreciated.

M> - Melon



M> To Unsubscribe: send mail to majordomo@FreeBSD.org
M> with "unsubscribe freebsd-security" in the body of the message




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?28146581553.20001202133652>