UDP port 137 Question

C_Jon_Larsen1 · January 6, 1998, 5:54pm

Is there any *valid* reason to see UDP traffic directed at a unix box's
port 137 coming from IP sources across the internet ? The unix servers in
question are most definitely *not* running samba, and there is absolutely
no NT anywhere on this customer's network (that is seeing the incoming UDP
traffic directed at an IP destination address on port 137). (A couple
of 95 boxes scattered across an Ethernet comprise the Micro$oft part of
the network). None of the 95 boxen are running any file or print serving
(sharing) resources.

I can't think of any valid reason to see this traffic, personally. Anybody
out there that can present a scenario where I would expect to see these
UDP packets coming back in ?

netbios-ns 137/tcp nbns
netbios-ns 137/udp nbns
netbios-dgm 138/tcp nbdgm
netbios-dgm 138/udp nbdgm
netbios-ssn 139/tcp nbssn

Charles_Sprickman · January 6, 1998, 6:35pm

Well, at least you're not alone:

    deny udp any any eq netbios-ns (5479183 matches)
    deny udp any any eq netbios-dgm (20345 matches)
    deny udp any any eq 139 (414 matches)

deny tcp any any eq 139 (20446 matches)

No Windoze on this side... How much garbage traffic is generated by MS
products anyhow?

~~~~~~~~~~ ~~~~~~~~~~~
Charles Sprickman Internet Channel
INCH System Administration Team (212)243-5200
spork@inch.com access@inch.com

Melody_Yoon · January 6, 1998, 7:10pm

[stuff cut]

Hi Jon. If memory serves, Netbios nameservices are generally only on the
same segment unless you have an NT/Samba server somewhere... As it is, it
should *NOT* be directed at your Unix boxes and definately not coming
across the Internet. My guess is that someone may be attempting a bad OOB
data attack on port 137 thinking that your Unix box is some type of PC.

Mel

Melody Lynn Yoon melodyy@best.com | Graduate - '97 MSF
Senior SA - Taos Mountain Software, Santa Clara, CA | NRA Member
-- I do not accept commercial, unsolicited email
-- http://www.best.com/~melodyy/spam.policy.html

DAVE_NORDLUND · January 6, 1998, 7:17pm

Date: Tue, 06 Jan 1998 12:54:52 -0500 (EST)
From: "C. Jon Larsen" <jlarsen@ford.ajtech.com>
Subject: UDP port 137 Question
To: nanog@merit.edu

Is there any *valid* reason to see UDP traffic directed at a unix box's
port 137 coming from IP sources across the internet ? The unix servers in
question are most definitely *not* running samba, and there is absolutely no
NT anywhere on this customer's network (that is seeing the incoming UDP
traffic directed at an IP destination address on port 137). (A couple of 95
boxes scattered across an Ethernet comprise the Micro$oft part of the
network). None of the 95 boxen are running any file or print serving (sharing)
resources.

Are you shure these don't have ip broadcast addresses on them? I've seen
MS UDP packets with 255.255.255.255 as the destination address if the
WIN box isn't set up reasonably.

I can't think of any valid reason to see this traffic, personally. Anybody out
there that can present a scenario where I would expect to see these UDP
packets coming back in ?

netbios-ns 137/tcp nbns
netbios-ns 137/udp nbns
netbios-dgm 138/tcp nbdgm
netbios-dgm 138/udp nbdgm
netbios-ssn 139/tcp nbssn

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
C. Jon Larsen Email: jlarsen@ford.ajtech.com
Systems Engineer Voice: +1.804.353.2800 x118
A&J Technologies http://www.ajtech.com

PGP Key fingerprint: 8A 62 4C 6E 1E 3C CD 63 B3 16 1A 1B D2 61 EE 97
PGP Public key available at: http://ford.ajtech.com/CJL.txt
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Dave Nordlund d-nordlund@ukans.edu
University of Kansas 913/864-0450
Computing Services FAX 913/864-0485
Lawrence, KS 66045 KANREN

Steve_Carter1 · January 6, 1998, 7:24pm

No Windoze on this side... How much garbage traffic is generated by MS
products anyhow?

I thought most of it is....... >;)

Eric_Germann1 · January 6, 1998, 9:43pm

One would hope the backbones aren't passing 255.255.255.255 around to come
in via his Internet connection

Date: Tue, 06 Jan 1998 12:54:52 -0500 (EST)
From: "C. Jon Larsen" <jlarsen@ford.ajtech.com>
Subject: UDP port 137 Question
To: nanog@merit.edu

Is there any *valid* reason to see UDP traffic directed at a unix box's
port 137 coming from IP sources across the internet ? The unix servers in
question are most definitely *not* running samba, and there is

absolutely no

NT anywhere on this customer's network (that is seeing the incoming UDP
traffic directed at an IP destination address on port 137). (A couple of 95
boxes scattered across an Ethernet comprise the Micro$oft part of the
network). None of the 95 boxen are running any file or print serving

(sharing)

resources.

Are you shure these don't have ip broadcast addresses on them? I've seen
MS UDP packets with 255.255.255.255 as the destination address if the
WIN box isn't set up reasonably.

I can't think of any valid reason to see this traffic, personally.

Anybody out

Henry_Linneweh1 · January 7, 1998, 7:15am

port 139 is the OOB bug known as winnuke attack and can be patched, variations
come through other ports as directed by Linux boxes at win95 users or MS users

Henry R. Linneweh

C. Jon Larsen wrote:

DAVE_NORDLUND · January 7, 1998, 9:29pm

Date: Tue, 06 Jan 1998 16:43:27 -0500
From: Eric Germann <ekgermann@cctec.com>
Subject: Re: UDP port 137 Question
To: d-nordlund@UKANS.EDU
Cc: nanog@merit.edu

One would hope the backbones aren't passing 255.255.255.255 around to come in
via his Internet connection

One would hope........ !

But you can't assume!

>> Date: Tue, 06 Jan 1998 12:54:52 -0500 (EST)
>> From: "C. Jon Larsen" <jlarsen@ford.ajtech.com>
>> Subject: UDP port 137 Question
>> To: nanog@merit.edu
>
>>
>> Is there any *valid* reason to see UDP traffic directed at a unix box's
>> port 137 coming from IP sources across the internet ? The unix servers in
>> question are most definitely *not* running samba, and there is
absolutely no
>> NT anywhere on this customer's network (that is seeing the incoming UDP
>> traffic directed at an IP destination address on port 137). (A couple of 95
>> boxes scattered across an Ethernet comprise the Micro$oft part of the
>> network). None of the 95 boxen are running any file or print serving
(sharing)
>> resources.
>
>Are you shure these don't have ip broadcast addresses on them? I've seen MS
>UDP packets with 255.255.255.255 as the destination address if the WIN box
>isn't set up reasonably.
>>
>> I can't think of any valid reason to see this traffic, personally.
Anybody out
>> there that can present a scenario where I would expect to see these UDP
>> packets coming back in ?
>>
>> netbios-ns 137/tcp nbns
>> netbios-ns 137/udp nbns
>> netbios-dgm 138/tcp nbdgm
>> netbios-dgm 138/udp nbdgm
>> netbios-ssn 139/tcp nbssn
>>
>>
>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C.
>> Jon Larsen Email: jlarsen@ford.ajtech.com Systems Engineer
>> Voice: +1.804.353.2800 x118 A&J Technologies
>> http://www.ajtech.com
>>
>> PGP Key fingerprint: 8A 62 4C 6E 1E 3C CD 63 B3 16 1A 1B D2 61 EE 97
>> PGP Public key available at: http://ford.ajtech.com/CJL.txt
>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>
>>
>
>Dave Nordlund d-nordlund@ukans.edu
>University of Kansas 913/864-0450
>Computing Services FAX 913/864-0485
>Lawrence, KS 66045 KANREN
>

============================================================================
==== Eric Germann Computer and Communications Technologies
ekgermann@cctec.com Van Wert, OH 45891
Phone: 419 968 2640
http://www.cctec.com Fax: 419 968 2641

Network Design, Connectivity & System Integration Services
A Microsoft Solution Provider

Dave Nordlund d-nordlund@ukans.edu
University of Kansas 913/864-0450
Computing Services FAX 913/864-0485
Lawrence, KS 66045 KANREN