Firewall Wizards mailing list archives
Re: UDP port 137
From: Robert Graham <robert_david_graham () yahoo com>
Date: Thu, 28 Jan 1999 22:49:42 -0800 (PST)
I think this has been answered before. Is there a FAQ for this mailing list where such questions are answered? (ie. a FAQ in which such questions as "What is a firewall" are NOT answered). The answer (I think): Windows based machines that try to resolve your hostname will do a NetBIOS node status request to port 137 (NetBIOS name service port, see RFC 1001/1002). It has to do with the 'gethostbyaddr()' sockets API function. Whereas a UNIX box might resolve via DNS and NIS, Microsoft resolves via DNS and NetBIOS. Thus, as your users browse to a Microsoft web-server, the web-server attempts to resolve the IP address to a name. Thus, you see such requests coming from all over the 'net, but they are really just from machines for which you have a previous outgoing connection. I'm not sure, but I think that Microsoft will do a NetBIOS lookup only if DNS fails (somebody correct me?). Thus, if you fix reverse DNS lookups (assuming they are broken), then you will avoid false positives. Besides, some people use reverse lookups for authentication (example: Microsoft requires a valid reverse lookup that leads to US whois information before they will allow you to download their 128-bit browser). Rob. ---"Burgess, John (EDS)" <jburgess () railtex com> wrote:
My firewall has been alerting me to "possible port scans" on UPD for port 137. This seems to occur from a number of source addresses and domains on
the
internet, some resolve-able, some not. Does anyone know of a reason I should be concerned? John B.
_________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- UDP port 137 Burgess, John (EDS) (Jan 28)
- Re: UDP port 137 Eric Maiwald (Jan 29)
- <Possible follow-ups>
- Re: UDP port 137 Robert Graham (Jan 29)
- RE: UDP port 137 Shivdasani, Meenoo (Jan 29)