> From: Theresa .
Fisher @
reliastar .
com
> To: " - (052)firewalls(a)greatcircle.com" <firewalls @
GreatCircle .
COM>
> Subject: UDP Port 137
> Date: Tue, 8 Oct 1996 13:13:30 -0500
> I know there has been discussion about UDP Port 137, but what I want
> to know specifically is why, say, 100 attempts would be made from an
> external address and what are they looking for or to do?
>
> Any information would be much appreciated!
You will see activity on this port from Microsoft networking clients
such as WFW, Windows NT, etc. Ports 137, 138, and 139 are used by
Server Message Block (aka SMB, Microsoft Networking, NetBIOS over
IP) to establish network connections, perform name lookups and pass
other sordid information.
In this case port 137 is a UDP based service that is used to resolve
NetBIOS names (i.e. for "Browsing" a network). Some MS clients will
try to resolve the NetBIOS name when making a connection to another
host by trying to access this port. In particular, I've noticed that
when you are sending mail to a Microsoft Exchange SMTP server that
it will first attempt to do a name lookup on the connecting host. I'm
not sure of the purpose of this, however I suspect it is similiar to
the ident lookup performed by sendmail servers and fairly innocuous.
If this is the case your packet filter will show a port 137 connect from
the Exchange host it is talking to. If you correlate your outgoing maillogs
with the dates of the security alerts on port 137 you'll probably see that
they match.
Hope that helps...
-- Craig
>
> Theresa Fisher
> ReliaStar Financial
>
> theresa .
fisher @
reliastar .
com
>
>
Craig H. Rowland
Virtual Open Networking Environments (V-ONE)
Security Consulting Group
(301) 838-8900 x208
crowland @
v-one .
com
http://www.v-one.com
|
|
