Re: Lots netbios scans (udp 137)

[Erich.Meier () INFORMATIK UNI-ERLANGEN DE (Erich Meier)]

On Wed, May 03, 2000 at 03:31:21AM -0400, Greg A. Woods wrote:
> [ On Monday, May 1, 2000 at 20:20:57 (-0500), Ben Laws wrote: ]
> > Subject: Re: Lots netbios scans (udp 137)
> >
> > Here I've been observing similar scansm, although
> > over a smaller address space.  They always originate
> > from a Windows box (determined by `nmap -sS -O
> > target`), and I've seen them come from all over as
> > well.  Best to ensure you don't have any open shares
> > on your Windows systems --
>
> The scans I saw last week were always from unrouted networks such as
> 192.168 and 169.254, but from port 137 and to port 137, and always
> 78-byte UDP packets.
>
> I there any possibility that it's "normal" for a M$-Win box to do this
> under some circumstances?

Yes, it's normal. And it's legal.

To quote from Bill Manning's I-D draft-manning-dsua-03.txt:

-----
169.254.0.0/16 has been ear-marked as the IP range to use for end node
auto-configuration when a DHCP server may not be found. As such, network
operations and administrators should be VERY aggressive in ensuring that
neither route advertisements nor packet forwarding should occur across
any media boundaries. This is true for the Internet as well as any
private networks that use the IP protocols. End node administrators
should be aware that some vendors will auto-configure and add this
prefix to the nodes forwarding table. This will cause problems with
sites that run router discovery or deprecated routing protocols such as
RIP.
-----

M$ apparently uses this network when no other IP addresses are configured.
At least I saw packets from these addresses from a new Win2K machine on our net.

Regards,
Erich