Re: UDP port 137

[Robert Graham <robert_david_graham () yahoo com>]

I think this has been answered before. Is there a FAQ for this mailing
list where such questions are answered? (ie. a FAQ in which such
questions as "What is a firewall" are NOT answered).

The answer (I think): Windows based machines that try to resolve your
hostname will do a NetBIOS node status request to port 137 (NetBIOS
name service port, see RFC 1001/1002). It has to do with the
'gethostbyaddr()' sockets API function. Whereas a UNIX box might
resolve via DNS and NIS, Microsoft resolves via DNS and NetBIOS.

Thus, as your users browse to a Microsoft web-server, the web-server
attempts to resolve the IP address to a name. Thus, you see such
requests coming from all over the 'net, but they are really just from
machines for which you have a previous outgoing connection.

I'm not sure, but I think that Microsoft will do a NetBIOS lookup only
if DNS fails (somebody correct me?). Thus, if you fix reverse DNS
lookups (assuming they are broken), then you will avoid false
positives. Besides, some people use reverse lookups for authentication
(example: Microsoft requires a valid reverse lookup that leads to US
whois information before they will allow you to download their 128-bit
browser).

Rob.




---"Burgess, John (EDS)" <jburgess () railtex com> wrote:
> My firewall has been alerting me to "possible port scans" on UPD for
> port 137.
> This seems to occur from a number of source addresses and domains on
the
> internet, some resolve-able, some not.  Does anyone know of a reason
> I should be concerned?
>
> John B.



_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com