My mailer says that Melody Yoon said:
Hi Jon. If memory serves, Netbios nameservices are generally only on the
same segment unless you have an NT/Samba server somewhere... As it is, it
should *NOT* be directed at your Unix boxes and definately not coming
across the Internet. My guess is that someone may be attempting a bad OOB
data attack on port 137 thinking that your Unix box is some type of PC.
who was it that said, "never attribute to malice what can be explained by
stupidity?"
we run a web farm and see requests directed at port 137 all the time on
the web sites we host. i don't know for certain, but i assume it is
some sort of internet explorer "feature" that is attempting to establish
a CIFS connection to the web site. we ignore them anyway.
[cut]
who was it that said, "never attribute to malice what can be explained by
stupidity?"
no clue, but I like the quote. 
we run a web farm and see requests directed at port 137 all the time on
the web sites we host. i don't know for certain, but i assume it is
some sort of internet explorer "feature" that is attempting to establish
a CIFS connection to the web site. we ignore them anyway.
Hi Bryce. That's a possibility which I had not thought of.. However, to
test it, I ran Explorer on some machines here (including IE4.0 for Sparc)
and directed it my workstation here which is running apache. I've got
snoop running monitoring port 137, and so far, I've gotten no hits from
the machines running IE4 that are specifically directed to my Sparc (as
per the scenario from the original poster). Due to the way our network is
configured here, I don't have the ability to go over a router (we're on a
Cat5k switch).
Could someone out there do a similiar test and double check my methods and
see if I just did something wrong?
mel
Melody Lynn Yoon melodyy@best.com | Graduate - '97 MSF
Senior SA - Taos Mountain Software, Santa Clara, CA | NRA Member
-- I do not accept commercial, unsolicited email
-- http://www.best.com/~melodyy/spam.policy.html
Brice,
IANA sez:
netbios-ns 137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service
-rick
A weird thing I noticed about Microsoft in the past is that occasionally it
will think you are on a class B network even if your address space ic
clearly class C. I had that problem with an ISP I did consulting for, they
were assigned the 209.25.255.0 network (I might be wrong about the second
octet). We noticed heavy traffic coming in on their t1, so heavy infact
that the poor cisco 3000 could barely handle commands from a terminal. It
turns out that several networks were misconfigured and sending their
broadcast traffic to us, we promptly called the upstream and asked for a
new /24. I know it's sort of off topic for the port 137-139 discussion,
but I thought some of you guys would be interested.
Regards,
James Stephens James@iperform.net
Network Administrator 714-254-0200
Internet Performance Fax: 714-254-0600
Date: Tue, 06 Jan 1998 12:17:47 -0800 (PST)
From: Melody Yoon <melodyy@best.com>
Subject: Re: UDP port 137 Question
To: Bryce Ryan <brycer@organic.com>
Cc: jlarsen@ford.ajtech.com, nanog@merit.edu
[cut]
> who was it that said, "never attribute to malice what can be explained by
> stupidity?"
no clue, but I like the quote.
> we run a web farm and see requests directed at port 137 all the time on the
> web sites we host. i don't know for certain, but i assume it is some sort
> of internet explorer "feature" that is attempting to establish a CIFS
> connection to the web site. we ignore them anyway.
Hi Bryce. That's a possibility which I had not thought of.. However, to
test it, I ran Explorer on some machines here (including IE4.0 for Sparc) and
directed it my workstation here which is running apache. I've got snoop
running monitoring port 137, and so far, I've gotten no hits from the machines
running IE4 that are specifically directed to my Sparc (as per the scenario
from the original poster). Due to the way our network is configured here, I
don't have the ability to go over a router (we're on a Cat5k switch).
I believe that WIN95 will do the UDP to 137 only of both MS network and
TCP/IP are configured. If you kill the MS network, that won't happen.
Could someone out there do a similiar test and double check my methods and see
if I just did something wrong?
mel
Melody Lynn Yoon melodyy@best.com | Graduate - '97 MSF
Senior SA - Taos Mountain Software, Santa Clara, CA | NRA Member
-- I do not accept commercial, unsolicited email
-- http://www.best.com/~melodyy/spam.policy.html
Dave Nordlund d-nordlund@ukans.edu
University of Kansas 913/864-0450
Computing Services FAX 913/864-0485
Lawrence, KS 66045 KANREN