lots of port 137 in deny log
Dave Vogler
With all of your help, I've managed to implement a basic internet
firewall on my Cisco router via ACL. I'm logging my denied packets, and
I notice the most frequently denied packet is udp on port 137. I
thought 137 was part of netbios- why are there so many of these? They
appear to have been bound for Macs as well as NTs inside the LAN. About
4-5 an hour for a LAN of 25 computers.
Thanks,
Dave
Carl E. Mankinen
connection attempts from all over the internet, although I assume most of these are spoofed addresses.
About a week ago I started receiving a steady stream of this nbname traffic, wondering if anyone else
is seeing this.
It is normal to see a ton of netbios traffic trying to leak out of your windows network.
Just put in a rule for "SilentServices", include nbt, nbname etc and turn the logging off to prevent your logs from being spammed.
For your router access list, I guess you will have to prevent it from being syslogged with the other drops.
-
[To unsubscribe, send mail to majo...@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]
Carl E. Mankinen
----- Original Message -----To: Dave VoglerSent: Wednesday, May 02, 2001 4:13 PMSubject: Re: lots of port 137 in deny log
Because Microsoft implements NETBIOS over TCP by default and most people don't know effort to turn it off. Consequently you have all kinds of systems trying to find out about the "Nework Neighborhood" they are attached to.
-- Bill Stackpole, CISSP
Dave Vogler <david....@kekdesign.com>
Sent by: firewal...@Lists.GNAC.NET05/02/01 10:49 AM
To: firewall discussion list <fire...@Lists.GNAC.NET>
cc:
Subject: lots of port 137 in deny log
Ben Nagy
No - you'll get that. It's normally IIS servers trying to "look up" IP
addresses that connect to them. Are these real IP addresses that might be
computers running WWW browsers?
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-----Original Message-----
From: Carl E. Mankinen [mailto:ban...@zcore.net]
Sent: Thursday, May 03, 2001 8:05 AM
To: firewall discussion list
Subject: Re: lots of port 137 in deny log
What I am seeing is inbound nbname connections to IP addresses all over my
CIDR block.
Not to addresses that would have ever been resolved by external DNS etc.
I would think this would indicate malicious intent.
----- Original Message -----
From: William....@predictive.com
To: Dave Vogler
Cc: firewall discussion list ; firewal...@Lists.GNAC.NET
Sent: Wednesday, May 02, 2001 4:13 PM
Subject: Re: lots of port 137 in deny log
Because Microsoft implements NETBIOS over TCP by default and most people
don't know effort to turn it off. Consequently you have all kinds of
systems trying to find out about the "Nework Neighborhood" they are attached
to.
-- Bill Stackpole, CISSP
Carl E. Mankinen
-----Original Message-----
From: firewal...@Lists.GNAC.NET [mailto:firewal...@Lists.GNAC.NET]On Behalf Of William....@predictive.com
Sent: Wednesday, May 02, 2001 8:33 PM
To: firewall discussion list; firewal...@Lists.GNAC.NET
Subject: Re: lots of port 137 in deny log
Carl,
There are numerous netbios based scanner out there so "malicious intent" it certainly a possibility. But, I had a similar problem on a firewall I was administering. I traced it back to a company on the same ISP segment I was on that had netbios enabled on their web and proxy servers. These two servers accounted for 700-800 port 137 denies every day. It was interesting to watch because they would first try specific addresses, then broadcast addresses then class B broadcasts.
It's interesting to monitor segments with NT boxes on them. Even when you set up security controls on the interfaces to block everything but TCP/IP, they still send our mailbox queries and other garbage. Go figure.
-- Bill Stackpole, CISSP
Carl E. Mankinen
I know what addresses those are and should only see traffic to those
addresses,
not every address in my subnet. It's a scan. (except for the ones that were
legit sites hitting my proxy addresses)
Crumrine, Gary L
being normal Microsoft activity. I too have seen a great deal of this type
of activity, and it just started about 6 months ago. I know the same
subject has come up on this thread at least 3 times now. It sure sounds
like it is another MS "issue".
> -----Original Message-----
> From: Carl E. Mankinen [SMTP:ban...@zcore.net]
> Sent: Wednesday, May 02, 2001 10:06 PM
> To: firewall discussion list
> Subject: RE: lots of port 137 in deny log
>
> Yeah, try this if you have a MS Proxy 2.0 server.
> Punch in a URL like <http://209.247.228.201> and watch what your proxy
> server does.
> It will send a nbname packet to that address. I am not sure if this is
> related to WebSense, or what.
> I suppose it might be WebSense trying to find out the "name" of the server
> for it's logging purposes, but wouldn't
> that best be done thru a reverse DNS lookup? weird.
>
> Squid didn't do that (go figure, it's running on Solaris)
>
> The nbname packets that are clogging my logs are from all over creation.
> Asia, Russia, U.S., Europe, etc etc.
> I doubt it's anything other than malicious.
>
>
> -----Original Message-----
> From: firewal...@Lists.GNAC.NET
> [mailto:firewal...@Lists.GNAC.NET]On Behalf Of
> William....@predictive.com
> Sent: Wednesday, May 02, 2001 8:33 PM
> To: firewall discussion list; firewal...@Lists.GNAC.NET
> Subject: Re: lots of port 137 in deny log
>
>
>
> Carl,
>
> There are numerous netbios based scanner out there so "malicious
> intent" it certainly a possibility. But, I had a similar problem on a
> firewall I was administering. I traced it back to a company on the same
> ISP segment I was on that had netbios enabled on their web and proxy
> servers. These two servers accounted for 700-800 port 137 denies every
> day. It was interesting to watch because they would first try specific
> addresses, then broadcast addresses then class B broadcasts.
>
> It's interesting to monitor segments with NT boxes on them. Even
> when you set up security controls on the interfaces to block everything
> but TCP/IP, they still send our mailbox queries and other garbage. Go
> figure.
>
Ron DuFresne
Some might be surprised how many win95 boxes are on the net without the
patches to guard against the tcp/ip stack issues from a few years back,
sping and such. Might well be the new crop of script kiddies testing old
sploits. But, since the traffic should not be routed and certainly should
not be exposed from the inner networks out, dropping the packets at the
boarder router and or firewall should sufice.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Dan Riley
> I agree with Carl. I am not so sure that this can be just explained
> away as being normal Microsoft activity. I too have seen a great
> deal of this type of activity, and it just started about 6 months
> ago. I know the same subject has come up on this thread at least 3
> times now. It sure sounds like it is another MS "issue".
Random port 137 scanning starting about 6 months ago would probably be
the Bymer/Dnet.Dropper worm[1]. We also a huge increase in 137 blocks
from seemingly random IPs around then, and traced at least some of it
to that worm and its variants. However, I don't know of any reason
why Carl would have seen a recent increase in port 137 probes.
[1] http://www.sarc.com/avcenter/venc/data/w32.hllw.bymer.html
http://www.distributed.net/trojans.html.en
--
Dan Riley d...@mail.lns.cornell.edu
Wilson Lab, Cornell University <URL:http://www.lns.cornell.edu/~dsr/>
"History teaches us that days like this are best spent in bed"
Li, John
> -----Original Message-----
> From: William....@predictive.com
> Sent: Wednesday, May 02, 2001 4:13 PM
> To: Dave Vogler
> Cc: firewall discussion list; firewal...@Lists.GNAC.NET
> Subject: Re: lots of port 137 in deny log
>
>
> Because Microsoft implements NETBIOS over TCP by default and most people
> don't know effort to turn it off. Consequently you have all kinds of
> systems trying to find out about the "Nework Neighborhood" they are
> attached to.
>
> -- Bill Stackpole, CISSP
>
>
>
>
>
> Dave Vogler <david....@kekdesign.com>
> Sent by: firewal...@Lists.GNAC.NET
>
> 05/02/01 10:49 AM
>
> To: firewall discussion list <fire...@Lists.GNAC.NET>
> cc:
> Subject: lots of port 137 in deny log
>
>
>
> Hi all,
>
> With all of your help, I've managed to implement a basic internet
> firewall on my Cisco router via ACL. I'm logging my denied packets, and
> I notice the most frequently denied packet is udp on port 137. I
> thought 137 was part of netbios- why are there so many of these? They
> appear to have been bound for Macs as well as NTs inside the LAN. About
> 4-5 an hour for a LAN of 25 computers.
>
> Thanks,
>
> Dave
>
>
>
>