Security Incidents mailing list archives
Re: Lots netbios scans (udp 137)
From: Erich.Meier () INFORMATIK UNI-ERLANGEN DE (Erich Meier)
Date: Thu, 4 May 2000 16:24:16 +0200
On Wed, May 03, 2000 at 03:31:21AM -0400, Greg A. Woods wrote:
[ On Monday, May 1, 2000 at 20:20:57 (-0500), Ben Laws wrote: ]Subject: Re: Lots netbios scans (udp 137) Here I've been observing similar scansm, although over a smaller address space. They always originate from a Windows box (determined by `nmap -sS -O target`), and I've seen them come from all over as well. Best to ensure you don't have any open shares on your Windows systems --The scans I saw last week were always from unrouted networks such as 192.168 and 169.254, but from port 137 and to port 137, and always 78-byte UDP packets. I there any possibility that it's "normal" for a M$-Win box to do this under some circumstances?
Yes, it's normal. And it's legal. To quote from Bill Manning's I-D draft-manning-dsua-03.txt: ----- 169.254.0.0/16 has been ear-marked as the IP range to use for end node auto-configuration when a DHCP server may not be found. As such, network operations and administrators should be VERY aggressive in ensuring that neither route advertisements nor packet forwarding should occur across any media boundaries. This is true for the Internet as well as any private networks that use the IP protocols. End node administrators should be aware that some vendors will auto-configure and add this prefix to the nodes forwarding table. This will cause problems with sites that run router discovery or deprecated routing protocols such as RIP. ----- M$ apparently uses this network when no other IP addresses are configured. At least I saw packets from these addresses from a new Win2K machine on our net. Regards, Erich
Current thread:
- Re: Lots netbios scans (udp 137), (continued)
- Re: Lots netbios scans (udp 137) Bryan Andersen (May 03)
- odd message showing up logs... Josh Burroughs (May 04)
- Re: odd message showing up logs... Rick Redman (May 06)
- amd exploit(ed)? Paulo Ribeiro (May 07)
- Re: amd exploit(ed)? Mike Murray (May 08)
- Re: amd exploit(ed)? Erich Meier (May 09)
- Re: amd exploit(ed)? Jim Zajkowski (May 09)
- Re: odd message showing up logs... Robert Graham (May 07)
- Port 109 Scans Eric Maiwald (May 04)
- Re: Port 109 Scans Stone (May 06)
- Re: Lots netbios scans (udp 137) Erich Meier (May 04)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 04)
- Oversized packets Paulo Ribeiro (May 04)
- Re: Oversized packets Keith Owens (May 06)