Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Call for packets udp/137 broadcast - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Call for packets udp/137 broadcast

One of our readers have reported that he has seen a broadcast traffic to udp/137 . He suspected that the traffic cause a denial of service to some of his systems.

If you have seen such traffic and you would like to share some packets we would appreciate that.



60 Posts
ISC Handler
Apr 1st 2014
This might be pointing out the obvious to this crowd, but normally udp port 137 is NetBIOS name service. It is on by default on all windows systems, not 100% sure about windows server 2012. So everybody has this type of traffic unless you manually disable netbios on the network interfaces. Yes, I know that malware can communicate over this protocol and port.
Indeed, this may simply be a netbios scan. Using auxiliary/scanner/netbios/nbname_probe in metasploit produces lots of traffic on udp/137. I assume nbname queries could be broadcast for hostname discovery.

4 Posts

Sign Up for Free or Log In to start participating in the conversation!