Educause Security Discussion mailing list archives
Re: Windows mystery udp/137 to udp/137
From: "Vanderbilt, Teresa" <tvanderb () OZARKS EDU>
Date: Tue, 22 May 2007 15:31:17 -0500
I think I finally stopped the traffic at my site. I found these posts on the internet and decided to try it. http://www.the-collective.net/networklog/ http://lists.sans.org/pipermail/list/2005-January/019040.html The underlying cause may very well be Wins but I don't want to turn that off my DC's as I do have a few downlevel clients still in the field. I have a Cisco Pix 515 firewall and didn't have arp turned off on all the interfaces. Sysopt noproxyarp int1 (substitute your own interface name for int1) Sysopt noproxyarp outside Sysopt noproxyarp dmz1 Then, save your configuration and "cl arp". Thanks for all the input and I hope this helps someone else. Teresa -----Original Message----- From: Brady McClenon [mailto:mcclenbw () ONEONTA EDU] Sent: Tuesday, May 22, 2007 10:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows mystery udp/137 to udp/137 I'll admit to never trying this, but I thought you could stop a Windows client's NetBIOS broadcasts by changing the NetBIOS node-type to P-node (Peer-to-Peer). http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet /cncd_win_ysph.mspx?mfr=true Brady McClenon Administrative Computer Services State University College at Oneonta Oneonta, NY 13820
-----Original Message----- From: Jeff Kell [mailto:jeff-kell () UTC EDU] Sent: Tuesday, May 22, 2007 10:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows mystery udp/137 to udp/137 Clyde Hoadley wrote:We have several Windows servers that regularly attempt to send udppacketsfrom port 137 to non existent IP address udp port 137. These get blocked by the firewall. The Sys Admins haven't been able to figure
out why they do it. Has anyone encountered this problem before?This is the evil Microsoft empire :-) Windows machines will constantly chatter on 137 and 138. As others have noted, 137/138 are used by both WINS and NetBIOS local name resolution protocol. They also chatter on 1900 and 5000 (plug-and- pray). And Vista has another newfangled name resolution protocol that
will probably add more to the background noise. But back to 137... it's very difficult to make it go away. Part of this "chatter" is broadcast traffic, and it will blast away on 255.255.255.255 IP (ffff.ffff.ffff MAC). Sometimes it will be polite enough to only use the network-local broadcast. But it will
broadcast.
And any server in range may answer. I suspect this is where your unusual traffic is coming from. The clients will broadcast from whatever address they "think" is theirs, but the destination *is* a broadcast, and so it looks reasonable to your server. In your case it
appears the clients are misconfigured -- the 169.254 one obviously didn't get his DHCP request satisfied, and the 192.168 one might be bridging traffic from a private network. At any rate, unless you are routing broadcast traffic (and bear in mind that Cisco's with 'ip helper-address' will forward lots of broadcasts by default, not just bootp/dhcp), the misconfigured clients are probably on the same subnet
as the servers. Only if you see 137 requests in a scanning pattern (lots of them to different addresses, usually in the same /8 or /16, non-repetitive) would I suspect a virus/worm. The rest of the 137 stuff is the evil empire doing it's thing. "But I don't have WINS configured". Doesn't seem to matter. "But I don't have NetBIOS configured". Doesn't seem to matter either. Certain DHCP options will fire it up for you, especially if your DHCP server is a Windows one. The only "sure-fire, 100% dead-on, absolutely positive" way to keep clients from doing this is to disable NetBIOS completely. This is
done
from My Computer -> Properties -> Hardware -> Device Manager, then View...Show Hidden Devices, then navigate down to Non Plug-and-Play Devices, NetBIOS over TCP, right-click and "Disable". But that is admittedly a little bit overkill and can whack out your \\servername\resource references. If anyone has a better solution I'm
all ears. In theory, there is absolutely no reason for any Windows 2000 or greater version to need to use ports 137-139 at all. Since W2K it is "supposed to be" doing file sharing on 445 and name resolution through
DNS. I would dearly love to just block 137-139 everywhere (well, I'd like to add 135, but that seems to be an impossibility), but everytime
I try, something comes up broken or the Windows admins yell that something stopped working. It's kinda like IPX or Appletalk... took 20 years to make them finally
go away... Jeff
Current thread:
- Windows mystery udp/137 to udp/137 Clyde Hoadley (May 22)
- <Possible follow-ups>
- Re: Windows mystery udp/137 to udp/137 H. Morrow Long (May 22)
- Re: Windows mystery udp/137 to udp/137 Buz Dale (May 22)
- Re: Windows mystery udp/137 to udp/137 Lovaas,Steven (May 22)
- Re: Windows mystery udp/137 to udp/137 Vanderbilt, Teresa (May 22)
- Re: Windows mystery udp/137 to udp/137 Vanderbilt, Teresa (May 22)
- Re: Windows mystery udp/137 to udp/137 Jeff Kell (May 22)
- Re: Windows mystery udp/137 to udp/137 David Gillett (May 22)
- Re: Windows mystery udp/137 to udp/137 Brady McClenon (May 22)
- Re: Windows mystery udp/137 to udp/137 Vanderbilt, Teresa (May 22)
- Re: Windows mystery udp/137 to udp/137 Fowler, Steve (May 23)
- Re: Windows mystery udp/137 to udp/137 Lee Weers (May 29)
- Re: Windows mystery udp/137 to udp/137 Vanderbilt, Teresa (May 29)
- Re: Windows mystery udp/137 to udp/137 Lee Weers (May 30)
- Re: Windows mystery udp/137 to udp/137 Vanderbilt, Teresa (May 30)