gary flynn <gary @
> I'm seeing lots of access violations for UDP 137 which is
> used by Netbios name services. I'm blocking 137-139 from
> the Internet. What I don't understand is why these are trying to
> come in from the Internet destined for machines all over
> campus...some that aren't even running Netbios services (or so
> I'm told).
We are seeing violations for UDP 137 as well.
At the same time as the violation we see the same IP address accessing our web
site which is behind the firewall recording the violation. I suspect that the
systems at these IP addresses have WINS and/or NETBIOS over IP enabled whether
they know it or not. In our case the IP address causing the violations appear
to ISPs, so I belive that these are dialup users. Thus, when accessing our web
site, WINS on their system is confused and attempts to do WINS name resolution
using the address of our web site/firewall.
E. Graham Dougall, CISSP, FLMI/ACS, I.S.P.