OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Re: many attempts to Port 137 (NetBIOS-NameService)
From: Joerg Walter (joerg.waltermembers.debis.at)
Date: Thu Feb 17 2000 - 01:56:43 CST

----- Original Message -----
From: Robert Graham <robert_david_grahamyahoo.com>
To: Joerg Walter <joerg.waltermembers.debis.at>; <firewall-wizardsnfr.net>
Sent: Donnerstag, 17. Februar 2000 02:58
Subject: Re: many attempts to Port 137 (NetBIOS-NameService)

> I wouldn't be worried:
> http://www.robertgraham.com/pubs/firewall-seen.html#port137

good site, very informative :-))

> Are the source ports 137 as well? A 137->137 packet is almost certainly a
> request from a Windows machine, or a response. For example, you might have
a
> machine internally sending out NetBIOS requests, and these might be the
> responses.

Most of the packets have Source-Port > 1024 but some have Port 137 as well.
I will check out, if there are any machines in the inside-net, which
probably try to resolve Host-Names via NetBIOS. Maybe these incoming packets
are just the responses.

Thanks for your help! - Joerg Walter

> Alternatively, for some reason, these might be Windows machines trying to
do a
> reverse DNS lookup on your machine. If the DNS server doesn't respond in a
> timely manner, Windows machines will give up and try a NetBIOS query to
resolve
> your name. This is part of Microsoft's Winsock implementation, so it is an
OS
> thing rather than an application thing. I know this is weird advice: check
your
> DNS server, it may fix the problem.
>
> In any event, grab a packet sniffer (like tcpdump, which is probably
installed
> by default on your Linux box) and capture the packets to a file. If you
send me
> the file; I could probably figure out what these NetBIOS packets are
looking
> for (warning: you would be disclosing sensitive info if you did this).
>
> Rob.