|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity
From: Bill Pennington (billp
ROCKETCASH.COM)Date: Wed Mar 29 2000 - 10:40:31 CST
- Next message: Dwight Schauer: "rooted by r0x - from address 212.177.241.127"
- Previous message: Pavel Kankovsky: "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)"
- In reply to: Bryan Andersen: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
- Next in thread: Christoph Schneeberger: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
- Next in thread: Pavel Kankovsky: "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)"
- Reply: Bill Pennington: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Besides Robert Grahams excellent list of things that might be causing
unwanted UDP/137 traffic another common one I have seen and windows
based reporting tools. The cause is most likely not having a reverse DNS
for these host. Looking at the log times it seems likely that these are
nightly website traffic reports that are kicking off late at night and
attempting to look up your machine name ( via rDNS first then via
Netbios).
What timezone are the log times in? They seem to come in groups of 3
close together which is a good indication that they are lookups. My
guess on the second set is that 2 machines are running the same log
files.
Bryan Andersen wrote:
>
> I too have seen this behavior. I block them at my firewall, but the
> numbers have dramatically increased for port 137 scans that hit every
> IP# in my micro net address range. Before Feb I'd see one a month at
> most.
>
> For the week of * I've seen:
> Feb 27: 3
> Mar 5: 5
> Mar 12: 8
> Mar 19: 4
> Mar 26: 3 sofar
>
> I have a /30 net routed to me so I see traffic for 4 IP addreesses.
> IP# *.18 is my DSL router so I don't see messages to it. I know I
> wasn't on the net last night at that time, and the address wasn't
> accessing my web server either.
>
> These log events from yesterday are typical of what I'd see:
>
> Mar 27 22:00:25 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
> I=63748 F=0x0000 T=112
> Mar 27 22:00:27 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
> I=5381 F=0x0000 T=112
> Mar 27 22:00:28 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
> I=5637 F=0x0000 T=112
> Mar 27 22:00:36 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
> I=58373 F=0x0000 T=112
> Mar 27 22:00:37 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
> I=58629 F=0x0000 T=112
> Mar 27 22:00:39 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
> I=59141 F=0x0000 T=112
> Mar 27 22:00:57 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
> I=4360 F=0x0000 T=112
> Mar 27 22:00:58 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
> I=4616 F=0x0000 T=112
> Mar 27 22:01:00 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
> I=4872 F=0x0000 T=112
>
> This is a set from two sites very nicely meshed (Are they
> racing each other?):
>
> Mar 23 18:39:48 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
> I=29440 F=0x0000 T=111
> Mar 23 18:39:48 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
> I=29184 F=0x0000 T=111
> Mar 23 18:39:50 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
> I=29696 F=0x0000 T=111
> Mar 23 18:39:50 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
> I=29952 F=0x0000 T=111
> Mar 23 18:39:51 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
> I=30464 F=0x0000 T=111
> Mar 23 18:39:51 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
> I=30720 F=0x0000 T=111
> Mar 23 18:39:59 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
> I=32000 F=0x0000 T=113
> Mar 23 18:39:59 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
> I=32256 F=0x0000 T=111
> Mar 23 18:40:01 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
> I=32512 F=0x0000 T=113
> Mar 23 18:40:01 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
> I=32768 F=0x0000 T=111
> Mar 23 18:40:02 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
> I=33024 F=0x0000 T=113
> Mar 23 18:40:02 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
> I=33280 F=0x0000 T=111
> Mar 23 18:40:23 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
> I=38144 F=0x0000 T=111
> Mar 23 18:40:23 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
> I=38400 F=0x0000 T=111
> Mar 23 18:40:25 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
> I=38656 F=0x0000 T=111
> Mar 23 18:40:25 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
> I=38912 F=0x0000 T=111
> Mar 23 18:40:26 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
> I=39168 F=0x0000 T=111
> Mar 23 18:40:26 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
> I=39424 F=0x0000 T=111
>
> --
> | Bryan Andersen | bryanvisi.com | http://softail.visi.com |
> | Buzzwords are like annoying little flies that deserve to be swatted. |
> | -Bryan Andersen |
--Bill Pennington Senior IT Manager Rocketcash billp
- Next message: Dwight Schauer: "rooted by r0x - from address 212.177.241.127"
- Previous message: Pavel Kankovsky: "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)"
- In reply to: Bryan Andersen: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
- Next in thread: Christoph Schneeberger: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
- Next in thread: Pavel Kankovsky: "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)"
- Reply: Bill Pennington: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]