Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Call for packets udp/137 broadcast - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Call for packets udp/137 broadcast

One of our readers have reported that he has seen a broadcast traffic to udp/137 . He suspected that the traffic cause a denial of service to some of his systems.

If you have seen such traffic and you would like to share some packets we would appreciate that.

 

Basil

56 Posts
ISC Handler
This might be pointing out the obvious to this crowd, but normally udp port 137 is NetBIOS name service. It is on by default on all windows systems, not 100% sure about windows server 2012. So everybody has this type of traffic unless you manually disable netbios on the network interfaces. Yes, I know that malware can communicate over this protocol and port.
Basil
2 Posts Posts
Indeed, this may simply be a netbios scan. Using auxiliary/scanner/netbios/nbname_probe in metasploit produces lots of traffic on udp/137. I assume nbname queries could be broadcast for hostname discovery.
red0green

4 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!