[14534] in North American Network Operators' Group
Re: UDP port 137 Question
daemon@ATHENA.MIT.EDU (Dalvenjah FoxFire)
Tue Jan 6 13:59:18 1998
From: Dalvenjah FoxFire <dalvenjah@dal.net>
To: jlarsen@ford.ajtech.com (C. Jon Larsen)
Date: Tue, 6 Jan 1998 10:52:43 -0800 (PST)
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.3.95.980106124853.21848A-100000@ford.ajtech.com> from "C. Jon Larsen" at Jan 6, 98 12:54:52 pm
C. Jon Larsen put this into my mailbox:
>
> Is there any *valid* reason to see UDP traffic directed at a unix box's
> port 137 coming from IP sources across the internet ? The unix servers in
> question are most definitely *not* running samba, and there is absolutely
> no NT anywhere on this customer's network (that is seeing the incoming UDP
> traffic directed at an IP destination address on port 137). (A couple
> of 95 boxes scattered across an Ethernet comprise the Micro$oft part of
> the network). None of the 95 boxen are running any file or print serving
> (sharing) resources.
>
> I can't think of any valid reason to see this traffic, personally. Anybody
> out there that can present a scenario where I would expect to see these
> UDP packets coming back in ?
No. Doubtless some idiot thinks everybody runs WinDoze and is trying to
winnuke you, especially if several boxes get hit one after the other.
E-mail the contacts of the source address and ask that the account
be removed; chances are the person wasn't clueful enough to spoof the
source address.
-dalvenjah
--
Dalvenjah FoxFire (aka Sven Nielsen) "Hath not a dude eyes? If you prick us,
Founder, the DALnet IRC Network do we not get bummed? If we eat bad
guacamole, do we not blow chunks?"
e-mail: dalvenjah@dal.net - Keanu Reeves as Shylock in The Critic
whois: SN90 WWW: http://www.dal.net/~dalvenjah/
