Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: many attempts to Port 137 (NetBIOS-NameService)

From: Bill Pennington <billp () rocketcash com>
Date: Wed, 16 Feb 2000 17:29:16 -0800
My guess would be that this are harmless packets getting set to you by
IIS servers and other NT based web reporting tools. Normally them come
in groups of 3. IIS and other tools attempt to collect additional info
from you when you access an IIS site. They do this via Netbios.

However I am seeing hundreds on UDP/137 attempts from a single IP
address in a very short period of time. I can't figure out why someone
would want to do that since I am silently dropping them at the firewall.
Must be some new toy the script kiddies have these days.

Hope that helps! If anyone has a clue on the UDP/137 flood let me know.



Joerg Walter wrote:

Hi folks,
I discovered a strange thing on a Firewall (IPCHAINS-based, RedHat 6.0, Kernel 2.2.12-20). There are lots of 
connect-attempts to this machine to Port 137 (NetBIOS-NameService). These attempts are blocked but nethertheless I'm 
wondering, since the source of these packets are addresses throughout Europe and they doesn't seem to be broadcasts 
(destination address is exactly that machine).
We have some other Firewalls set up just the same on the same network and they don't get these packets...

Is this something to be worried about?


-- 


Bill Pennington
IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com
Previous By Date Next
Previous By Thread Next

Current thread: