Firewall Wizards mailing list archives

RE: UDP port 137

From: "Gibson, Brian" <briang () multex com>
Date: Tue, 2 Feb 1999 09:47:52 -0500

What is probably happening is that Outlook is attempting to use WINS to
do name resolution for whatever address you gave for the IMAP server.
Outlook does not normally use NETBIOS unless you are using WINS.  

The problem with logging NETBIOS is that the majority of requests on
137-139 are innocuous, particularly if you are using routable registered
internal names and have laptops that connect both to your LAN and to the
Internet, at different times of course.

-----Original Message-----
From: Chris Tobkin [mailto:tobkin () umn edu]
Sent: Friday, January 29, 1999 7:52 PM
To: firewall-wizards () nfr net
Subject: RE: UDP port 137


The other side of this coin is that most people do just drop and not log
these connections because they are made by random windows machines that
have little to minimal threat.  This is a great way for people probing
networks to find out what type of firewall you have, whether or not you
DO have a firewall, whether or not it may be a proxy, etc.

I see a lot of UDP/137 attempts when some of my users use Outlook to
connect
to their IMAP server..  (what IMAP and NetBios have to do with each
other
is beyond me...)

// chris
tobkin () umn edu

************************************************************************
*
Chris Tobkin
tobkin () umn edu
Java and Web Services - Academic and Distributed Computing Services -
UMN
Shep. Labs 190                                      Minneapolis, MN
55455
 -----------------------------------------------------------------------
  "Thanks to the printing press, the deviant smart people were able to
    distribute their genius without having to pass it on genetically.
         Evolution was short-circuited.  We gained knowledge and
         technology without gaining intelligence." - Scott Adams
************************************************************************
*

-----Original Message-----
From: owner-firewall-wizards () nfr net
[mailto:owner-firewall-wizards () nfr net]On Behalf Of Shivdasani, Meenoo
Sent: Friday, January 29, 1999 9:03 AM
To: Burgess, John (EDS); 'firewall-wizards () nfr net'
Subject: RE: UDP port 137

My firewall has been alerting me to "possible port scans" on UPD for
port 137.
This seems to occur from a number of source addresses and
domains on the
internet, some resolve-able, some not.  Does anyone know of a reason
I should be concerned?


Ah, the joy of Windoze.  At the most innocent level, hits to 137/UDP

are

just an annoyance.  Windoze boxes spew NetBIOS related traffic
all over the
place.  My personal solution is to dump them in the bit bucket so that

don't have to wade through reports of unserved ports in my logs.

However,

that solution does have a flaw -- no logging equates to no tracking.

Hits to 139/TCP could be someone trying to nuke internal windoze

machines.

I can't remember offhand if there's an attack that you can do
with 137/UDP.


M

Current thread:

Re: UDP port 137 Bret McDanel (Feb 01)
- <Possible follow-ups>
- Re: UDP port 137 David Gillett (Feb 01)
- Re: UDP port 137 John Kozubik (Feb 01)
- RE: UDP port 137 Chris Tobkin (Feb 01)
- RE: UDP port 137 Gibson, Brian (Feb 02)
- Re: UDP Port 137 Randy Witlicki (Feb 03)