Call for packets udp/137 broadcast

Published: 2014-04-01
Last Updated: 2014-04-01 19:01:22 UTC
by Basil Alawi S.Taher (Version: 1)
2 comment(s)

One of our readers have reported that he has seen a broadcast traffic to udp/137 . He suspected that the traffic cause a denial of service to some of his systems.

If you have seen such traffic and you would like to share some packets we would appreciate that.

 

Keywords:
2 comment(s)

Comments

This might be pointing out the obvious to this crowd, but normally udp port 137 is NetBIOS name service. It is on by default on all windows systems, not 100% sure about windows server 2012. So everybody has this type of traffic unless you manually disable netbios on the network interfaces. Yes, I know that malware can communicate over this protocol and port.
Indeed, this may simply be a netbios scan. Using auxiliary/scanner/netbios/nbname_probe in metasploit produces lots of traffic on udp/137. I assume nbname queries could be broadcast for hostname discovery.
Diary Archives