From owner-freebsd-security Tue Aug 18 09:56:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA16666 for freebsd-security-outgoing; Tue, 18 Aug 1998 09:56:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA16660 for ; Tue, 18 Aug 1998 09:56:48 -0700 (PDT) (envelope-from ingham@i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.8.8/8.8.7) id KAA22368; Tue, 18 Aug 1998 10:53:22 -0600 (MDT) (envelope-from ingham) Message-ID: <19980818105321.58178@i-pi.com> Date: Tue, 18 Aug 1998 10:53:21 -0600 From: Kenneth Ingham To: freebsd-security@FreeBSD.ORG Subject: Port 137 (was: Re: private network on router's external NIC?) References: <35D8A7E8.2DC50695@partitur.se> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.89i In-Reply-To: =?iso-8859-1?Q?=3Cxzp3eauu3bd=2Efsf=40hrotti=2Eifi=2Euio=2Eno=3E=3B_from?= =?iso-8859-1?Q?_Dag-Erling_Coidan_Sm=F8rgrav__on_Tue=2C_Aug_18=2C_1998_a?= =?iso-8859-1?Q?t_10=3A00=3A54AM_+0200?= Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Aug 18, 1998 at 10:00:54AM +0200, Dag-Erling Coidan Smørgrav wrote: > Forged packets to the NetBIOS ports are with 99% certainty attempted > DoS attacks (which will only succeed against Winblows boxen) Except that Newbios-NS (137) port lookups come from machines with WINS turned on doing web browsing. I tracked this down after I sent out email to someone who was bouncing off of my firewall. It appears that M$ trys a lookup with port 137 before the browser actually connects to get web info. So, port 137 may not be a denial of service attack, could be just mis-configured boxes. (but it could also be an attack...) Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message