Is there any *valid* reason to see UDP traffic directed at a unix box's port 137 coming from IP sources across the internet ? The unix servers in question are most definitely *not* running samba, and there is absolutely no NT anywhere on this customer's network (that is seeing the incoming UDP traffic directed at an IP destination address on port 137). (A couple of 95 boxes scattered across an Ethernet comprise the Micro$oft part of the network). None of the 95 boxen are running any file or print serving (sharing) resources. I can't think of any valid reason to see this traffic, personally. Anybody out there that can present a scenario where I would expect to see these UDP packets coming back in ? netbios-ns 137/tcp nbns netbios-ns 137/udp nbns netbios-dgm 138/tcp nbdgm netbios-dgm 138/udp nbdgm netbios-ssn 139/tcp nbssn =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C. Jon Larsen Email: jlarsen@ford.ajtech.com Systems Engineer Voice: +1.804.353.2800 x118 A&J Technologies http://www.ajtech.com PGP Key fingerprint: 8A 62 4C 6E 1E 3C CD 63 B3 16 1A 1B D2 61 EE 97 PGP Public key available at: http://ford.ajtech.com/CJL.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Date: Tue, 06 Jan 1998 12:54:52 -0500 (EST) From: "C. Jon Larsen" <jlarsen@ford.ajtech.com> Subject: UDP port 137 Question To: nanog@merit.edu
Is there any *valid* reason to see UDP traffic directed at a unix box's port 137 coming from IP sources across the internet ? The unix servers in question are most definitely *not* running samba, and there is absolutely no NT anywhere on this customer's network (that is seeing the incoming UDP traffic directed at an IP destination address on port 137). (A couple of 95 boxes scattered across an Ethernet comprise the Micro$oft part of the network). None of the 95 boxen are running any file or print serving (sharing) resources.
Are you shure these don't have ip broadcast addresses on them? I've seen MS UDP packets with 255.255.255.255 as the destination address if the WIN box isn't set up reasonably.
I can't think of any valid reason to see this traffic, personally. Anybody out there that can present a scenario where I would expect to see these UDP packets coming back in ?
netbios-ns 137/tcp nbns netbios-ns 137/udp nbns netbios-dgm 138/tcp nbdgm netbios-dgm 138/udp nbdgm netbios-ssn 139/tcp nbssn
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C. Jon Larsen Email: jlarsen@ford.ajtech.com Systems Engineer Voice: +1.804.353.2800 x118 A&J Technologies http://www.ajtech.com
PGP Key fingerprint: 8A 62 4C 6E 1E 3C CD 63 B3 16 1A 1B D2 61 EE 97 PGP Public key available at: http://ford.ajtech.com/CJL.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Dave Nordlund d-nordlund@ukans.edu University of Kansas 913/864-0450 Computing Services FAX 913/864-0485 Lawrence, KS 66045 KANREN
One would hope the backbones aren't passing 255.255.255.255 around to come in via his Internet connection At 01:17 PM 1/6/98 +0000, DAVE NORDLUND wrote:
Date: Tue, 06 Jan 1998 12:54:52 -0500 (EST) From: "C. Jon Larsen" <jlarsen@ford.ajtech.com> Subject: UDP port 137 Question To: nanog@merit.edu
Is there any *valid* reason to see UDP traffic directed at a unix box's port 137 coming from IP sources across the internet ? The unix servers in question are most definitely *not* running samba, and there is
absolutely no
NT anywhere on this customer's network (that is seeing the incoming UDP traffic directed at an IP destination address on port 137). (A couple of 95 boxes scattered across an Ethernet comprise the Micro$oft part of the network). None of the 95 boxen are running any file or print serving (sharing) resources.
Are you shure these don't have ip broadcast addresses on them? I've seen MS UDP packets with 255.255.255.255 as the destination address if the WIN box isn't set up reasonably.
I can't think of any valid reason to see this traffic, personally.
Anybody out
there that can present a scenario where I would expect to see these UDP packets coming back in ?
netbios-ns 137/tcp nbns netbios-ns 137/udp nbns netbios-dgm 138/tcp nbdgm netbios-dgm 138/udp nbdgm netbios-ssn 139/tcp nbssn
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C. Jon Larsen Email: jlarsen@ford.ajtech.com Systems Engineer Voice: +1.804.353.2800 x118 A&J Technologies http://www.ajtech.com
PGP Key fingerprint: 8A 62 4C 6E 1E 3C CD 63 B3 16 1A 1B D2 61 EE 97 PGP Public key available at: http://ford.ajtech.com/CJL.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Dave Nordlund d-nordlund@ukans.edu University of Kansas 913/864-0450 Computing Services FAX 913/864-0485 Lawrence, KS 66045 KANREN
============================================================================ ==== Eric Germann Computer and Communications Technologies ekgermann@cctec.com Van Wert, OH 45891 Phone: 419 968 2640 http://www.cctec.com Fax: 419 968 2641 Network Design, Connectivity & System Integration Services A Microsoft Solution Provider
Date: Tue, 06 Jan 1998 16:43:27 -0500 From: Eric Germann <ekgermann@cctec.com> Subject: Re: UDP port 137 Question To: d-nordlund@UKANS.EDU Cc: nanog@merit.edu
One would hope the backbones aren't passing 255.255.255.255 around to come in via his Internet connection
One would hope........ ! But you can't assume!
At 01:17 PM 1/6/98 +0000, DAVE NORDLUND wrote:
Date: Tue, 06 Jan 1998 12:54:52 -0500 (EST) From: "C. Jon Larsen" <jlarsen@ford.ajtech.com> Subject: UDP port 137 Question To: nanog@merit.edu
Is there any *valid* reason to see UDP traffic directed at a unix box's port 137 coming from IP sources across the internet ? The unix servers in question are most definitely *not* running samba, and there is
absolutely no
NT anywhere on this customer's network (that is seeing the incoming UDP traffic directed at an IP destination address on port 137). (A couple of 95 boxes scattered across an Ethernet comprise the Micro$oft part of the network). None of the 95 boxen are running any file or print serving (sharing) resources.
Are you shure these don't have ip broadcast addresses on them? I've seen MS UDP packets with 255.255.255.255 as the destination address if the WIN box isn't set up reasonably.
I can't think of any valid reason to see this traffic, personally.
Anybody out
there that can present a scenario where I would expect to see these UDP packets coming back in ?
netbios-ns 137/tcp nbns netbios-ns 137/udp nbns netbios-dgm 138/tcp nbdgm netbios-dgm 138/udp nbdgm netbios-ssn 139/tcp nbssn
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C. Jon Larsen Email: jlarsen@ford.ajtech.com Systems Engineer Voice: +1.804.353.2800 x118 A&J Technologies http://www.ajtech.com
PGP Key fingerprint: 8A 62 4C 6E 1E 3C CD 63 B3 16 1A 1B D2 61 EE 97 PGP Public key available at: http://ford.ajtech.com/CJL.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Dave Nordlund d-nordlund@ukans.edu University of Kansas 913/864-0450 Computing Services FAX 913/864-0485 Lawrence, KS 66045 KANREN
============================================================================ ==== Eric Germann Computer and Communications Technologies ekgermann@cctec.com Van Wert, OH 45891 Phone: 419 968 2640 http://www.cctec.com Fax: 419 968 2641
Network Design, Connectivity & System Integration Services A Microsoft Solution Provider
Dave Nordlund d-nordlund@ukans.edu University of Kansas 913/864-0450 Computing Services FAX 913/864-0485 Lawrence, KS 66045 KANREN
Well, at least you're not alone: deny udp any any eq netbios-ns (5479183 matches) deny udp any any eq netbios-dgm (20345 matches) deny udp any any eq 139 (414 matches) deny tcp any any eq 139 (20446 matches) No Windoze on this side... How much garbage traffic is generated by MS products anyhow? ~~~~~~~~~~ ~~~~~~~~~~~ Charles Sprickman Internet Channel INCH System Administration Team (212)243-5200 spork@inch.com access@inch.com On Tue, 6 Jan 1998, C. Jon Larsen wrote:
Date: Tue, 6 Jan 1998 12:54:52 -0500 (EST) From: "C. Jon Larsen" <jlarsen@ford.ajtech.com> To: nanog@merit.edu Subject: UDP port 137 Question
Is there any *valid* reason to see UDP traffic directed at a unix box's port 137 coming from IP sources across the internet ? The unix servers in question are most definitely *not* running samba, and there is absolutely no NT anywhere on this customer's network (that is seeing the incoming UDP traffic directed at an IP destination address on port 137). (A couple of 95 boxes scattered across an Ethernet comprise the Micro$oft part of the network). None of the 95 boxen are running any file or print serving (sharing) resources.
I can't think of any valid reason to see this traffic, personally. Anybody out there that can present a scenario where I would expect to see these UDP packets coming back in ?
netbios-ns 137/tcp nbns netbios-ns 137/udp nbns netbios-dgm 138/tcp nbdgm netbios-dgm 138/udp nbdgm netbios-ssn 139/tcp nbssn
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C. Jon Larsen Email: jlarsen@ford.ajtech.com Systems Engineer Voice: +1.804.353.2800 x118 A&J Technologies http://www.ajtech.com
PGP Key fingerprint: 8A 62 4C 6E 1E 3C CD 63 B3 16 1A 1B D2 61 EE 97 PGP Public key available at: http://ford.ajtech.com/CJL.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
No Windoze on this side... How much garbage traffic is generated by MS products anyhow?
I thought most of it is....... >;) -- ====================================================== Steve Carter scarter@genuity.net GENUITY Inc. Phone: (602) 308 2386 a BECHTEL^H^H^H^H^H^H^HGTE Company ====================================================== "I used to think that the brain was the most wonderful organ in my body. Then I realized who was telling me this." -- Emo Phillips ======================================================
C. Jon Larsen put this into my mailbox:
Is there any *valid* reason to see UDP traffic directed at a unix box's port 137 coming from IP sources across the internet ? The unix servers in question are most definitely *not* running samba, and there is absolutely no NT anywhere on this customer's network (that is seeing the incoming UDP traffic directed at an IP destination address on port 137). (A couple of 95 boxes scattered across an Ethernet comprise the Micro$oft part of the network). None of the 95 boxen are running any file or print serving (sharing) resources.
I can't think of any valid reason to see this traffic, personally. Anybody out there that can present a scenario where I would expect to see these UDP packets coming back in ?
No. Doubtless some idiot thinks everybody runs WinDoze and is trying to winnuke you, especially if several boxes get hit one after the other. E-mail the contacts of the source address and ask that the account be removed; chances are the person wasn't clueful enough to spoof the source address. -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) "Hath not a dude eyes? If you prick us, Founder, the DALnet IRC Network do we not get bummed? If we eat bad guacamole, do we not blow chunks?" e-mail: dalvenjah@dal.net - Keanu Reeves as Shylock in The Critic whois: SN90 WWW: http://www.dal.net/~dalvenjah/
The other less paranoid scenario is they were renumbered and didn't update some server mappings in WINS or LMHOSTS and you were lucky enough to get their old space. Eric At 10:52 AM 1/6/98 -0800, Dalvenjah FoxFire wrote:
C. Jon Larsen put this into my mailbox:
Is there any *valid* reason to see UDP traffic directed at a unix box's port 137 coming from IP sources across the internet ? The unix servers in question are most definitely *not* running samba, and there is absolutely no NT anywhere on this customer's network (that is seeing the incoming UDP traffic directed at an IP destination address on port 137). (A couple of 95 boxes scattered across an Ethernet comprise the Micro$oft part of the network). None of the 95 boxen are running any file or print serving (sharing) resources.
I can't think of any valid reason to see this traffic, personally. Anybody out there that can present a scenario where I would expect to see these UDP packets coming back in ?
No. Doubtless some idiot thinks everybody runs WinDoze and is trying to winnuke you, especially if several boxes get hit one after the other. E-mail the contacts of the source address and ask that the account be removed; chances are the person wasn't clueful enough to spoof the source address.
-dalvenjah
-- Dalvenjah FoxFire (aka Sven Nielsen) "Hath not a dude eyes? If you prick us, Founder, the DALnet IRC Network do we not get bummed? If we eat bad guacamole, do we not blow chunks?" e-mail: dalvenjah@dal.net - Keanu Reeves as Shylock in The Critic whois: SN90 WWW: http://www.dal.net/~dalvenjah/
============================================================================ ==== Eric Germann Computer and Communications Technologies ekgermann@cctec.com Van Wert, OH 45891 Phone: 419 968 2640 http://www.cctec.com Fax: 419 968 2641 Network Design, Connectivity & System Integration Services A Microsoft Solution Provider
Eric, Good point that nobody else mentioned. Since the network number is freshly allocated, I believe (not recycled), I'm pretty sure that this is not the case *this* time. Anyway, I'm filing away all of the interesting responses. The port 137/UDP traffic may indeed be harmless. Some other packets I'm now seeing (port 139/TCP, 1-2 packets, from different source IPs) seem to indicate this may be more than Micro$oft misconfiguration . . . On Tue, 6 Jan 1998, Eric Germann wrote:
The other less paranoid scenario is they were renumbered and didn't update some server mappings in WINS or LMHOSTS and you were lucky enough to get their old space.
Eric
At 10:52 AM 1/6/98 -0800, Dalvenjah FoxFire wrote:
C. Jon Larsen put this into my mailbox:
Is there any *valid* reason to see UDP traffic directed at a unix box's port 137 coming from IP sources across the internet ? The unix servers in question are most definitely *not* running samba, and there is absolutely no NT anywhere on this customer's network (that is seeing the incoming UDP traffic directed at an IP destination address on port 137). (A couple of 95 boxes scattered across an Ethernet comprise the Micro$oft part of the network). None of the 95 boxen are running any file or print serving (sharing) resources.
I can't think of any valid reason to see this traffic, personally. Anybody out there that can present a scenario where I would expect to see these UDP packets coming back in ?
No. Doubtless some idiot thinks everybody runs WinDoze and is trying to winnuke you, especially if several boxes get hit one after the other. E-mail the contacts of the source address and ask that the account be removed; chances are the person wasn't clueful enough to spoof the source address.
-dalvenjah
-- Dalvenjah FoxFire (aka Sven Nielsen) "Hath not a dude eyes? If you prick us, Founder, the DALnet IRC Network do we not get bummed? If we eat bad guacamole, do we not blow chunks?" e-mail: dalvenjah@dal.net - Keanu Reeves as Shylock in The Critic whois: SN90 WWW: http://www.dal.net/~dalvenjah/
============================================================================ ==== Eric Germann Computer and Communications Technologies ekgermann@cctec.com Van Wert, OH 45891 Phone: 419 968 2640 http://www.cctec.com Fax: 419 968 2641
Network Design, Connectivity & System Integration Services A Microsoft Solution Provider
On Tue, 6 Jan 1998, C. Jon Larsen wrote:
Is there any *valid* reason to see UDP traffic directed at a unix box's port 137 coming from IP sources across the internet ? The unix servers in question are most definitely *not* running samba, and there is absolutely no NT anywhere on this customer's network (that is seeing the incoming UDP traffic directed at an IP destination address on port 137). (A couple of 95 boxes scattered across an Ethernet comprise the Micro$oft part of the network). None of the 95 boxen are running any file or print serving (sharing) resources. [stuff cut]
Hi Jon. If memory serves, Netbios nameservices are generally only on the same segment unless you have an NT/Samba server somewhere... As it is, it should *NOT* be directed at your Unix boxes and definately not coming across the Internet. My guess is that someone may be attempting a bad OOB data attack on port 137 thinking that your Unix box is some type of PC. Mel Melody Lynn Yoon melodyy@best.com | Graduate - '97 MSF Senior SA - Taos Mountain Software, Santa Clara, CA | NRA Member -- I do not accept commercial, unsolicited email -- http://www.best.com/~melodyy/spam.policy.html
My mailer says that Melody Yoon said:
Hi Jon. If memory serves, Netbios nameservices are generally only on the same segment unless you have an NT/Samba server somewhere... As it is, it should *NOT* be directed at your Unix boxes and definately not coming across the Internet. My guess is that someone may be attempting a bad OOB data attack on port 137 thinking that your Unix box is some type of PC.
who was it that said, "never attribute to malice what can be explained by stupidity?" we run a web farm and see requests directed at port 137 all the time on the web sites we host. i don't know for certain, but i assume it is some sort of internet explorer "feature" that is attempting to establish a CIFS connection to the web site. we ignore them anyway. -- === bryce ryan ============ organic ======== brycer@organic.com ========= ==== director =========== information ===== http://www.organic.com/ ====== == /etc/networks ========== services === v:415.278.5652#f:415.284.6891 ===
On Tue, 6 Jan 1998, Bryce Ryan wrote: [cut]
who was it that said, "never attribute to malice what can be explained by stupidity?"
no clue, but I like the quote. :)
we run a web farm and see requests directed at port 137 all the time on the web sites we host. i don't know for certain, but i assume it is some sort of internet explorer "feature" that is attempting to establish a CIFS connection to the web site. we ignore them anyway.
Hi Bryce. That's a possibility which I had not thought of.. However, to test it, I ran Explorer on some machines here (including IE4.0 for Sparc) and directed it my workstation here which is running apache. I've got snoop running monitoring port 137, and so far, I've gotten no hits from the machines running IE4 that are specifically directed to my Sparc (as per the scenario from the original poster). Due to the way our network is configured here, I don't have the ability to go over a router (we're on a Cat5k switch). Could someone out there do a similiar test and double check my methods and see if I just did something wrong? :) mel Melody Lynn Yoon melodyy@best.com | Graduate - '97 MSF Senior SA - Taos Mountain Software, Santa Clara, CA | NRA Member -- I do not accept commercial, unsolicited email -- http://www.best.com/~melodyy/spam.policy.html
Brice, IANA sez: netbios-ns 137/tcp NETBIOS Name Service netbios-ns 137/udp NETBIOS Name Service -rick On Tue, 6 Jan 1998, Melody Yoon wrote:
On Tue, 6 Jan 1998, Bryce Ryan wrote: [cut]
who was it that said, "never attribute to malice what can be explained by stupidity?"
no clue, but I like the quote. :)
we run a web farm and see requests directed at port 137 all the time on the web sites we host. i don't know for certain, but i assume it is some sort of internet explorer "feature" that is attempting to establish a CIFS connection to the web site. we ignore them anyway.
Date: Tue, 06 Jan 1998 12:17:47 -0800 (PST) From: Melody Yoon <melodyy@best.com> Subject: Re: UDP port 137 Question To: Bryce Ryan <brycer@organic.com> Cc: jlarsen@ford.ajtech.com, nanog@merit.edu
On Tue, 6 Jan 1998, Bryce Ryan wrote: [cut]
who was it that said, "never attribute to malice what can be explained by stupidity?"
no clue, but I like the quote. :)
we run a web farm and see requests directed at port 137 all the time on the web sites we host. i don't know for certain, but i assume it is some sort of internet explorer "feature" that is attempting to establish a CIFS connection to the web site. we ignore them anyway.
Hi Bryce. That's a possibility which I had not thought of.. However, to test it, I ran Explorer on some machines here (including IE4.0 for Sparc) and directed it my workstation here which is running apache. I've got snoop running monitoring port 137, and so far, I've gotten no hits from the machines running IE4 that are specifically directed to my Sparc (as per the scenario from the original poster). Due to the way our network is configured here, I don't have the ability to go over a router (we're on a Cat5k switch).
I believe that WIN95 will do the UDP to 137 only of both MS network and TCP/IP are configured. If you kill the MS network, that won't happen.
Could someone out there do a similiar test and double check my methods and see if I just did something wrong? :)
mel
Melody Lynn Yoon melodyy@best.com | Graduate - '97 MSF Senior SA - Taos Mountain Software, Santa Clara, CA | NRA Member -- I do not accept commercial, unsolicited email -- http://www.best.com/~melodyy/spam.policy.html
Dave Nordlund d-nordlund@ukans.edu University of Kansas 913/864-0450 Computing Services FAX 913/864-0485 Lawrence, KS 66045 KANREN
A weird thing I noticed about Microsoft in the past is that occasionally it will think you are on a class B network even if your address space ic clearly class C. I had that problem with an ISP I did consulting for, they were assigned the 209.25.255.0 network (I might be wrong about the second octet). We noticed heavy traffic coming in on their t1, so heavy infact that the poor cisco 3000 could barely handle commands from a terminal. It turns out that several networks were misconfigured and sending their broadcast traffic to us, we promptly called the upstream and asked for a new /24. I know it's sort of off topic for the port 137-139 discussion, but I thought some of you guys would be interested. Regards, James Stephens James@iperform.net Network Administrator 714-254-0200 Internet Performance Fax: 714-254-0600
port 139 is the OOB bug known as winnuke attack and can be patched, variations come through other ports as directed by Linux boxes at win95 users or MS users Henry R. Linneweh C. Jon Larsen wrote:
Is there any *valid* reason to see UDP traffic directed at a unix box's port 137 coming from IP sources across the internet ? The unix servers in question are most definitely *not* running samba, and there is absolutely no NT anywhere on this customer's network (that is seeing the incoming UDP traffic directed at an IP destination address on port 137). (A couple of 95 boxes scattered across an Ethernet comprise the Micro$oft part of the network). None of the 95 boxen are running any file or print serving (sharing) resources.
I can't think of any valid reason to see this traffic, personally. Anybody out there that can present a scenario where I would expect to see these UDP packets coming back in ?
netbios-ns 137/tcp nbns netbios-ns 137/udp nbns netbios-dgm 138/tcp nbdgm netbios-dgm 138/udp nbdgm netbios-ssn 139/tcp nbssn
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C. Jon Larsen Email: jlarsen@ford.ajtech.com Systems Engineer Voice: +1.804.353.2800 x118 A&J Technologies http://www.ajtech.com
PGP Key fingerprint: 8A 62 4C 6E 1E 3C CD 63 B3 16 1A 1B D2 61 EE 97 PGP Public key available at: http://ford.ajtech.com/CJL.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-- ¢4i1å
participants (12)
-
Bryce Ryan
-
C. Jon Larsen
-
C. Jon Larsen
-
Charles Sprickman
-
Dalvenjah FoxFire
-
DAVE NORDLUND
-
Eric Germann
-
Henry Linneweh
-
James Stephens
-
Melody Yoon
-
Rick H. Wesson
-
Steve Carter