Some might be surprised how many win95 boxes are on the net without the
patches to guard against the tcp/ip stack issues from a few years back,
sping and such. Might well be the new crop of script kiddies testing old
sploits. But, since the traffic should not be routed and certainly should
not be exposed from the inner networks out, dropping the packets at the
boarder router and or firewall should sufice.
Thanks,
Ron DuFresne
On Thu, 3 May 2001, Crumrine, Gary L wrote:
> I agree with Carl. I am not so sure that this can be just explained away as
> being normal Microsoft activity. I too have seen a great deal of this type
> of activity, and it just started about 6 months ago. I know the same
> subject has come up on this thread at least 3 times now. It sure sounds
> like it is another MS "issue".
>
> > -----Original Message-----
> > From: Carl E. Mankinen [SMTP:[EMAIL PROTECTED]]
> > Sent: Wednesday, May 02, 2001 10:06 PM
> > To: firewall discussion list
> > Subject: RE: lots of port 137 in deny log
> >
> > Yeah, try this if you have a MS Proxy 2.0 server.
> > Punch in a URL like <http://209.247.228.201> and watch what your proxy
> > server does.
> > It will send a nbname packet to that address. I am not sure if this is
> > related to WebSense, or what.
> > I suppose it might be WebSense trying to find out the "name" of the server
> > for it's logging purposes, but wouldn't
> > that best be done thru a reverse DNS lookup? weird.
> >
> > Squid didn't do that (go figure, it's running on Solaris)
> >
> > The nbname packets that are clogging my logs are from all over creation.
> > Asia, Russia, U.S., Europe, etc etc.
> > I doubt it's anything other than malicious.
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Wednesday, May 02, 2001 8:33 PM
> > To: firewall discussion list; [EMAIL PROTECTED]
> > Subject: Re: lots of port 137 in deny log
> >
> >
> >
> > Carl,
> >
> > There are numerous netbios based scanner out there so "malicious
> > intent" it certainly a possibility. But, I had a similar problem on a
> > firewall I was administering. I traced it back to a company on the same
> > ISP segment I was on that had netbios enabled on their web and proxy
> > servers. These two servers accounted for 700-800 port 137 denies every
> > day. It was interesting to watch because they would first try specific
> > addresses, then broadcast addresses then class B broadcasts.
> >
> > It's interesting to monitor segments with NT boxes on them. Even
> > when you set up security controls on the interfaces to block everything
> > but TCP/IP, they still send our mailbox queries and other garbage. Go
> > figure.
> >
> > -- Bill Stackpole, CISSP
> >
> >
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
