Its very to extremely common to see this traffic
hitting a firewall. Its one of the first places nmap, nessus, et. al. will
look. Best practice would be to block this unnecessary traffic from the
internet segment both incomming and outgoing. Unless your connecting directly
through the Internet to another site. Then I'd suggest using an encrypted VPN.
For fun you can see what DShield, part of ISC SANS has reported via firewall
logs to them from around the world. Heres the link for port 137:
http://isc.sans.org/port_details.php?port=137&repax=1&tarax=2&srcax=2&percent=N&days=40
You check all your favorite ports this way. As
you can see your not alone in seeing a great deal of interest on this port,
eventhough it didn't make todays 'Top 10'
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended for
the named recipient of this email. ETSI (Employee Technology Solutions, Inc.)
does not warrant that the contents of any electronically transmitted
information will remain confidential. If the reader of this email is not the
intended recipient you are hereby notified that any use, reproduction,
disclosure or distribution of the information contained in the email in error,
please reply to us immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown electronic threats: It
is the recipient/client's duties to perform virus scans and otherwise test the
information provided before loading onto any computer system. No warranty is
made that this material is free from computer virus or any other defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
Yeah I know about going client à DC. I'm trying to figure out why the
*DC* is establishing connections to the client.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, September 21, 2006 6:05 AM
To: [email protected]
Subject: RE: [ActiveDir] DC Establishing Session to client on TCP139
netbios-ns 137/tcp
NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service
netbios-dgm 138/tcp NETBIOS Datagram Service
netbios-dgm 138/udp NETBIOS Datagram Service
netbios-ssn 139/tcp NETBIOS Session Service
netbios-ssn 139/udp NETBIOS Session Service
It's been a while, but you may find
that all 3 are needed.
If memory serves - 137 is used to
resolve names; 138 to send/receive data; 139 to establish and maintain the
session.
neil
From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On Behalf Of Paul Williams
Sent: 21 September 2006 09:30
To: [email protected]
Subject: Re: [ActiveDir] DC Establishing Session to client on TCP139
It's probably SMB (CIFS). The NT5.x client
service attempts to establish SMB sessions using both 445 and 137/8/9
(whichever one). The first to reply is what is used. If 445, it's
SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP
(NetBT).
Note. It doesn't use all three of the NetBT3,
I just don't remember what's what.
--Paul
----- Original Message -----
From: Brian Desmond
To: [email protected]
Sent: Thursday, September 21, 2006 2:53 AM
Subject: [ActiveDir] DC Establishing Session to
client on TCP139
I'm seeing a lot of hits in
firewall logs for DCs trying to establish sessions to clients on TCP139 (NBT
Session Service). Does anyone know why this is happening or if it's necessary?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
PLEASE READ: The information
contained in this email is confidential and
intended for the named
recipient(s) only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please
request a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only
and is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment
services to private customers. Authorised and
regulated by the Financial
Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the
Nomura group of companies.
|
Message scanned by TrendMicro
|
Message scanned by TrendMicro |
