Firewall Wizards mailing list archives
Re: many attempts to Port 137 (NetBIOS-NameService)
From: Robert Graham <robert_david_graham () yahoo com>
Date: Wed, 16 Feb 2000 17:58:19 -0800 (PST)
I wouldn't be worried: http://www.robertgraham.com/pubs/firewall-seen.html#port137 Are the source ports 137 as well? A 137->137 packet is almost certainly a request from a Windows machine, or a response. For example, you might have a machine internally sending out NetBIOS requests, and these might be the responses. Alternatively, for some reason, these might be Windows machines trying to do a reverse DNS lookup on your machine. If the DNS server doesn't respond in a timely manner, Windows machines will give up and try a NetBIOS query to resolve your name. This is part of Microsoft's Winsock implementation, so it is an OS thing rather than an application thing. I know this is weird advice: check your DNS server, it may fix the problem. In any event, grab a packet sniffer (like tcpdump, which is probably installed by default on your Linux box) and capture the packets to a file. If you send me the file; I could probably figure out what these NetBIOS packets are looking for (warning: you would be disclosing sensitive info if you did this). Rob. --- Joerg Walter <joerg.walter () members debis at> wrote:
Hi folks, I discovered a strange thing on a Firewall (IPCHAINS-based, RedHat 6.0, Kernel 2.2.12-20). There are lots of connect-attempts to this machine to Port 137 (NetBIOS-NameService). These attempts are blocked but nethertheless I'm wondering, since the source of these packets are addresses throughout Europe and they doesn't seem to be broadcasts (destination address is exactly that machine). We have some other Firewalls set up just the same on the same network and they don't get these packets... Is this something to be worried about?
===== Robert Graham http://www.robertgraham.com/pubs __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- many attempts to Port 137 (NetBIOS-NameService) Joerg Walter (Feb 16)
- Re: many attempts to Port 137 (NetBIOS-NameService) Bill Pennington (Feb 17)
- Re: many attempts to Port 137 (NetBIOS-NameService) Chuck O'Donnell (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Philip J. Koenig (Feb 23)
- Re: many attempts to Port 137 (NetBIOS-NameService) K. Graham (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Chuck O'Donnell (Feb 19)
- <Possible follow-ups>
- Re: many attempts to Port 137 (NetBIOS-NameService) Robert Graham (Feb 17)
- Re: Re: many attempts to Port 137 (NetBIOS-NameService) Joerg Walter (Feb 17)
- Re: many attempts to Port 137 (NetBIOS-NameService) K. Graham (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Bill Pennington (Feb 17)