Clicky

One of our domain controllers is attempting to communicate on UDP 137 with an IP address registered to RIPE.NET in Amsterdam (5.5.13.36).  This attempt is blocked by our firewall rules:

Local4.Warning      192.168.1.6      Dec 07 2011 12:22:05: %ASA-4-106023: Deny udp src inside:192.168.95.50/137 dst Outside:5.5.13.36/137 by access-group "acl_BLOCKED" [0x9abf6a8d, 0xb46d3807]

Any idea why our DC would be attempting to make this type of connection?

According to the RIPE.NET website, this is what they do:
The RIPE NCC is one of five Regional Internet Registries (RIRs) providing Internet resource allocations, registration services and coordination activities that support the operation of the Internet globally

asked 12/07/2011 04:36

SpokaneISD's gravatar image

SpokaneISD ♦♦


2 Answers:
I copied the below excerpt from a blog, UDP traffic on port 137 is common for Net Bios lookup.

UDP packets on port 137 are used to perfom a Netbios name lookup. Within Microsoft's Windows file sharing, these lookups are similar to DNS in that they resolve an IP to a computer name and back. While many of these lookups are harmless and may be performed automatically if DNS or reverse DNS fails, they are also a first step to enumerate and maybe exploit open file shares. There are a number of viruses and worms that exploit open shares, most notably Bugbear. Also, a number of IRC controlled 'bots' spread using open file shares. Important: ALWAYS use a password to protect shared resources. However, Microsoft file sharing is intented for a closed LAN environment, and if at all possible should not be used accross the public Internet.
link

answered

Patmac951's gravatar image

Patmac951

So the blog says  "these lookups are harmless and may be performed automatically if DNS or reverse DNS fails" but then goes on to say that  "if at all possible (Netbios) should not be used accross the public Internet."

I fired up a sniffer & watched outbound Netbios traffic & see a few other Netbois requests from our Domain Controller to other Internet servers.

I guess it will remain a mystery.
link

answered 2011-12-07 at 12:59:09

SpokaneISD's gravatar image

SpokaneISD

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 12/07/2011 04:36

Seen: 115 times

Last updated: 12/08/2011 03:07