OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Weird UDP packets
From: Dragos Ruiu (drDURSEC.COM)
Date: Wed Mar 08 2000 - 15:35:50 CST

On Wed, 08 Mar 2000, Pavel Kankovsky wrote:
> On Mon, 6 Mar 2000, Damian Gerow wrote:
>
> > I've been watching my firewall logs, and in the past week something has
> > cropped up. The firewall (all packets _do_ have a destination of the
> > firewall) is a filtering, forwarding firewall protecting both Linux and
> > NT servers. It does not run Samba, only SSH. The weird part of it is
> > that packets are coming from port 137 and going to port 137, and always
> > three packets from a different source each time. Can anyone help me
> > with this one?
>
> I have been observing a similar thing and found a correlation between
> instances of this netbios-ns junk and http accesses. All from MS
> Internet Exploder 4 or 5 on various Windoze flavours. Do not ascribe to...
>
> --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
> "Resistance is futile. Open your source code and prepare for assimilation."

What you seem to be describing sounds like the default WINS lookup of a Win98
os as a part of its DNS resolution... I.e. Wintendo user goes to new site... box
tries WINS then resolves with DNS when that fails if there is no WINS server,
I believe it retransmits 3 times. But then again it's bee a while since I
looked at this... (I don't remember if this behaviour is tied to NetBios or
not). All disclaimers apply.

cheers,
--dr 

--
dursec.com / kyx.net - we're from the future                      http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - April 19-21 Vancouver

Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
          RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com