Firewall Wizards mailing list archives
RE: UDP port 137
From: "Gibson, Brian" <briang () multex com>
Date: Tue, 2 Feb 1999 09:47:52 -0500
What is probably happening is that Outlook is attempting to use WINS to do name resolution for whatever address you gave for the IMAP server. Outlook does not normally use NETBIOS unless you are using WINS. The problem with logging NETBIOS is that the majority of requests on 137-139 are innocuous, particularly if you are using routable registered internal names and have laptops that connect both to your LAN and to the Internet, at different times of course. -----Original Message----- From: Chris Tobkin [mailto:tobkin () umn edu] Sent: Friday, January 29, 1999 7:52 PM To: firewall-wizards () nfr net Subject: RE: UDP port 137 The other side of this coin is that most people do just drop and not log these connections because they are made by random windows machines that have little to minimal threat. This is a great way for people probing networks to find out what type of firewall you have, whether or not you DO have a firewall, whether or not it may be a proxy, etc. I see a lot of UDP/137 attempts when some of my users use Outlook to connect to their IMAP server.. (what IMAP and NetBios have to do with each other is beyond me...) // chris tobkin () umn edu ************************************************************************ * Chris Tobkin tobkin () umn edu Java and Web Services - Academic and Distributed Computing Services - UMN Shep. Labs 190 Minneapolis, MN 55455 ----------------------------------------------------------------------- "Thanks to the printing press, the deviant smart people were able to distribute their genius without having to pass it on genetically. Evolution was short-circuited. We gained knowledge and technology without gaining intelligence." - Scott Adams ************************************************************************ *
-----Original Message----- From: owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net]On Behalf Of Shivdasani, Meenoo Sent: Friday, January 29, 1999 9:03 AM To: Burgess, John (EDS); 'firewall-wizards () nfr net' Subject: RE: UDP port 137My firewall has been alerting me to "possible port scans" on UPD for port 137. This seems to occur from a number of source addresses and domains on the internet, some resolve-able, some not. Does anyone know of a reason I should be concerned?Ah, the joy of Windoze. At the most innocent level, hits to 137/UDP
are
just an annoyance. Windoze boxes spew NetBIOS related traffic all over the place. My personal solution is to dump them in the bit bucket so that
I
don't have to wade through reports of unserved ports in my logs.
However,
that solution does have a flaw -- no logging equates to no tracking. Hits to 139/TCP could be someone trying to nuke internal windoze
machines.
I can't remember offhand if there's an attack that you can do with 137/UDP. M
Current thread:
- Re: UDP port 137 Bret McDanel (Feb 01)
- <Possible follow-ups>
- Re: UDP port 137 David Gillett (Feb 01)
- Re: UDP port 137 John Kozubik (Feb 01)
- RE: UDP port 137 Chris Tobkin (Feb 01)
- RE: UDP port 137 Gibson, Brian (Feb 02)
- Re: UDP Port 137 Randy Witlicki (Feb 03)