North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: UDP port 137 Question

  • From: C. Jon Larsen
  • Date: Tue Jan 06 16:29:50 1998

Eric,

Good point that nobody else mentioned. Since the network number
is freshly allocated, I believe (not recycled), I'm pretty sure that this
is not the case *this* time.

Anyway, I'm filing away all of the interesting responses. The port 137/UDP
traffic may indeed be harmless. Some other packets I'm now seeing (port
139/TCP, 1-2 packets, from different source IPs) seem to indicate this may
be more than Micro$oft misconfiguration . . .

On Tue, 6 Jan 1998, Eric Germann wrote:

> The other less paranoid scenario is they were renumbered and didn't update
> some server mappings in WINS or LMHOSTS and you were lucky enough to get
> their old space.
> 
> Eric
> 
> 
> At 10:52 AM 1/6/98 -0800, Dalvenjah FoxFire wrote:
> >C. Jon Larsen put this into my mailbox:
> >> 
> >> Is there any *valid* reason to see UDP traffic directed at a unix box's
> >> port 137 coming from IP sources across the internet ? The unix servers in
> >> question are most definitely *not* running samba, and there is absolutely
> >> no NT anywhere on this customer's network (that is seeing the incoming UDP
> >> traffic directed at an IP destination address on port 137). (A couple
> >> of 95 boxes scattered across an Ethernet comprise the Micro$oft part of
> >> the network). None of the 95 boxen are running any file or print serving
> >> (sharing) resources.
> >> 
> >> I can't think of any valid reason to see this traffic, personally. Anybody
> >> out there that can present a scenario where I would expect to see these
> >> UDP packets coming back in ?
> >
> >No. Doubtless some idiot thinks everybody runs WinDoze and is trying to
> >winnuke you, especially if several boxes get hit one after the other.
> >E-mail the contacts of the source address and ask that the account
> >be removed; chances are the person wasn't clueful enough to spoof the
> >source address.
> >
> >-dalvenjah
> >
> >-- 
> > Dalvenjah FoxFire (aka Sven Nielsen) "Hath not a dude eyes? If you prick us,
> > Founder, the DALnet IRC Network       do we not get bummed? If we eat bad
> >                                       guacamole, do we not blow chunks?"
> > e-mail: [email protected]              - Keanu Reeves as Shylock in The
> Critic
> > whois: SN90			     WWW: http://www.dal.net/~dalvenjah/  
> > 
> 
> 
> ============================================================================
> ====
> Eric Germann				Computer and Communications Technologies
> [email protected]			Van Wert, OH 45891
> 					Phone:	419 968 2640
> http://www.cctec.com			Fax:	419 968 2641
> 
> Network Design, Connectivity & System Integration Services 
> A Microsoft Solution Provider					
>