Make your own free website on Tripod.com

UDP on Port 137 - Problem or Not?

UDP packets sent to port 137 from port 137 on other computers is the most-often-seen transgression on the Internet today. My firewall blocks at least six of these daily, from all over the planet.

However, many ISP security folks, and some purported security experts' web sites will tell you that these probes are nothing to worry about. "It's harmless", they tell you, "it's just like a nameserver query.. a nameserver query."

Okay. Ask yourself why someone half-way across the country would want to know what your NetBIOS hostname is. Ask yourself what this person is doing snooping around on your subnet anyway.

The answer is obvious: He's trying to examine some shares.

TCP/IP has transported his packets to your computer's IP address. But NetBIOS uses names, not IP addresses. He needs your computer's name so he can send it some NetBIOS commands to see how it's set up... see what the user names are (if any)... see what the share names are... and attach to them.

But he's gotta find that NetBIOS name first.

Is this not similar to connecting to a telnet server in order to ascertain which operating system is in use so an appropriate exploit can be chosen?

Oh, but the "experts" don't seem to think it's a problem.... or do they?

Here is The Problem

Most ISPs have a Security function which is understaffed and short on other resources, with an increasing heavy workload. This is especially true of the cable modem outfits, such as @Home and RoadRunner. These ISPs typically have ONE security group watching over their entire nationwide network. You know they're busy.

As such, the only ways they can reduce their workload are:

These tactics are irresponsible and dangerous.

Unwanted UDP probes on port 137 from computers you don't know could be the first step in an effort to compromise your system, and should be treated as such.

What You Should Do

Kevin Mitnick said that any computer connected to the Internet is NOT secure. Kevin knows what he's talking about.

  1. Obtain and install a firewall . Don't just be satisfied with an Intrusion Detection System unless it has the ability to block ports. Do the research.
  2. Configure it properly to do the job.
  3. Test your configuration.
  4. Closely monitor the logs to see if you're being messed with.
  5. Report hits to the originating ISP.
  6. Keep up with what's going on.

You'd naturally want to keep burglars out of your neighborhood. Lets get these cyber-burglars off of the 'net.

KDJ