Scan or just silly behavior?

Christopher R. Hertel crh at ubiqx.mn.org
Wed Sep 20 02:54:50 GMT 2000 

I'm confused.

I have a home firewall (as does everyone with home connectivity, right?) 
and I've been seeing what appear to be scans against NetBIOS ports.  All
of the scans are sourced from cable provider's networks (RoadRunner and
@Home, in particular--I can't tell if shaw.ca is really @Home or not).
The source changes, though, and each scan has the same pattern.

Scans against NetBIOS-NS (UDP/137) always come in 3's and scans against
NetBIOS-SSN (TCP/139) always in 4's.

Now, I know that the normal number of name service retries is 3, so I
expect to see three tries against UDP/137.  (If this is a scanner, then
the author doesn't understand the code.  Why retry three times if you're
scanning for vulnerabilities--your goal is to be fast, not meticulous.)

I'm also aware that Microsoft's IP reverse name resolution tries an
Adapter Status call before actually going to the DNS (go figure), so there
is always the possibility that this is some sort of reverse lookup.  But
why?  Hmmm...

Also, there's the NetBIOS-SSN probes.  None of the lines listed below are
from the same source.  The number in the third column represents retries.
Again, I'm seeing 4 retries per NetBIOS-SSN attempt.


### Traffic by destination address:
    ubiqx.mn.org [192.168.100.2]
        we0      block     3    udp     netbios-ns <- netbios-ns
        we0      block     3    udp     netbios-ns <- netbios-ns
        we0      block     4    tcp    netbios-ssn <- <3570>
        we0      block     4    tcp    netbios-ssn <- <2229>
        we0      block     4    tcp    netbios-ssn <- <2338>
        we0      block     4    tcp    netbios-ssn <- <2711>


I'm going to try doing some sniffing to see what's in these.  I'm curious,
I guess.  I thought that @Home was blocking the NetBIOS service ports but
it seems not.  I'm on MediaOne (RoadRunner), and I really do recommend
that people put a firewall.  My own is a 486DX2/66 running OpenBSD.  Cost
me all of $30 for the parts (and that was over a year ago).

Chris -)-----

-- 
Samba Team -- http://samba.org/         -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   Open Source utilities
Amiga Team -- http://www.amiga.com/     -)-----   crh at ubiqx.mn.org

More information about the samba-technical mailing list