On Oct 1, 2008, at 11:03 AM, Jon Ziminsky wrote:
I have a server that is spewing UDP packets on port 137. Here is a
sample of the capture:
214 4.762671 <hidden>
65.200.10.34 NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
NBSTAT queries are often used to resolve an IP address to a NetBIOS
name. 65.200.10.34 is aquaultraviolet.com; might some software on
your server be trying to look up, or access, that host (which hosts
Aqua Ultraviolet's Web server; they're a company in California that
makes sterilization equipment using ultraviolet light) - either on its
own behalf or on behalf of a client? If so, it might be looking up
the NetBIOS name, because it appears that a DNS reverse lookup doesn't
work:
$ host 65.200.10.34
Host 34.10.200.65.in-addr.arpa. not found: 3(NXDOMAIN)
so Windows' reverse-IP-lookup code might try a reverse NetBIOS lookup
if a reverse DNS lookup fails.
217 1.771319 <hidden>
24.64.209.155 NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
A reverse DNS lookup of that failed as well:
$ host 24.64.209.155
Host 155.209.64.24.in-addr.arpa. not found: 3(NXDOMAIN)
Unfortunately, I can't reach that host, so I can't find out what it is
- traceroute says:
$ traceroute 24.64.209.155
traceroute to 24.64.209.155 (24.64.209.155), 64 hops max, 40 byte
packets
1 10.0.1.1 (10.0.1.1) 1.358 ms 1.494 ms 5.885 ms
...
7 rc2wh-pos0-7-2-0.vc.shawcable.net (66.163.76.65) 38.386 ms
27.489 ms 25.912 ms
8 rc1so-pos11-0.cg.shawcable.net (66.163.76.9) 44.012 ms 54.625
ms 38.815 ms
9 rd1so-ge2-0-0.cg.shawcable.net (66.163.71.78) 39.274 ms 38.959
ms 38.849 ms
10 * * *
but "shawcable.net" suggests that it might be the address of a Shaw
Cable subscriber - perhaps that subscriber, and something on
aquaultraviolet.com, is trying to access *your* server, and it is, for
example, trying to log the host name of the client, doing a reverse
lookup, first trying DNS, failing, and then trying NetBIOS?
