Port 137/138 accesses within home network - Firewalls

This is a discussion on Port 137/138 accesses within home network - Firewalls ; A few newly installed applications required a modification of firewall rules, which prompted me to clean up the convolution of rules that I've amassed over the years. Afterward, I started to get regular outbound UDP connections from "SYSTEM" to 192.168.1.255, ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Port 137/138 accesses within home network

  1. Port 137/138 accesses within home network

    A few newly installed applications required a modification of firewall
    rules, which prompted me to clean up the convolution of rules that
    I've amassed over the years. Afterward, I started to get regular
    outbound UDP connections from "SYSTEM" to 192.168.1.255, ports
    137-138. Much web searching ensued. It could be bad (http://
    www.linklogger.com/UDP137.htm) or just IP/name resolutions (http://
    http://www.iss.net/security_center/a...37/default.htm and
    others).

    This is a very simple home network, consisting of a DSL modem/router,
    and zero to two laptops connected via LAN cable to WiFi (either
    Windows 2000 or WindowsXP). One page visited was
    http://support.microsoft.com/default...b;en-us;832017. It
    looks like it was meant for non-home IT folk, possibly with a degree
    in the area.

    For the schmoe home user, what is the advisability of allowing such
    accesses to addresses within the home network? A bit of rummaging
    turns up RFC 1918, which says what such address ranges are. In my
    case, it seems to be the 16-bit block at 192.168.xxx.yyy. Laptops on
    this "network" are likely to be installed with standard security
    applications (firewall, AV, Spybot Search&Destroy).

    Aside for the advisability of the access rule, why would such accesses
    be attempted to 192.168.1.255? There is nothing there.

  2. Re: Port 137/138 accesses within home network


    "AndyHan****" wrote in message
    news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com...

    > Aside for the advisability of the access rule, why would such accesses
    > be attempted to 192.168.1.255? There is nothing there.


    The operative word here is *wireless*. I'll assume that the other machines
    are using an IP in the 192.168.1.xxx range. I'll assume you're using the
    DHCP server on the router to issue DHCP IP(s) to the computers on the
    network, which are being kept in the DHCP table on the router so that you
    can see them.

    The wireless side of your network could be hacked, the hacker could be using
    a static IP of 192.168.1.255, your DHCP server is not issuing IP(s) out that
    far so none of your machines are going to use that IP out that far. Static
    IP(s) are are not kept in the router's DHCP table, so you can't see them in
    use.

    So, there can be a machine that is using that IP wirelessly by a wireless
    hacker.

    It's a possibility.




  3. Re: Port 137/138 accesses within home network

    AndyHan**** wrote:

    > Laptops on this "network" are likely to be installed with standard
    > security applications (firewall, AV, Spybot Search&Destroy).



    So they're likely to be compromised.

  4. Re: Port 137/138 accesses within home network

    192.168.1.255 is the broadcast address for the subnet 192.168.1.0/24
    (192.168.1.xxx) -- in this case, your home network. It's highly unlikely
    that there's an attacker on this address, because TCP/IP doesn't allow a
    machine to be configured with an IP address the same as a broadcast address.
    When a computer wants to send broadcast traffic to all other computers in
    the subnet, it creates traffic with a destination address of that subnet's
    broadcast address.

    So in this case, your computer is simply doing its normal thing in Windows
    networking, using broadcasts to announce itself and discover other computers
    nearby. It's nothing to worry about. Your DSL router won't be allowing these
    to go beyond your home network.

    Steve Riley
    steve.riley@microsoft.com
    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com



    "Mr. Arnold" Arnold@Arnold.com> wrote in message
    news:lb6dncc7YfGWPZbVnZ2dnUVZ_t-nnZ2d@earthlink.com...
    >
    > "AndyHan****" wrote in message
    > news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com...
    >
    >> Aside for the advisability of the access rule, why would such accesses
    >> be attempted to 192.168.1.255? There is nothing there.

    >
    > The operative word here is *wireless*. I'll assume that the other
    > machines are using an IP in the 192.168.1.xxx range. I'll assume you're
    > using the DHCP server on the router to issue DHCP IP(s) to the computers
    > on the network, which are being kept in the DHCP table on the router so
    > that you can see them.
    >
    > The wireless side of your network could be hacked, the hacker could be
    > using a static IP of 192.168.1.255, your DHCP server is not issuing IP(s)
    > out that far so none of your machines are going to use that IP out that
    > far. Static IP(s) are are not kept in the router's DHCP table, so you
    > can't see them in use.
    >
    > So, there can be a machine that is using that IP wirelessly by a wireless
    > hacker.
    >
    > It's a possibility.
    >
    >
    >


  5. Re: Port 137/138 accesses within home network

    On Apr 20, 3:56 pm, "Mr. Arnold" wrote:
    > "AndyHan****" wrote in message
    >
    > news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com...
    >
    > > Aside for the advisability of the access rule, why would such accesses
    > > be attempted to 192.168.1.255? There is nothing there.

    >
    > The operative word here is *wireless*. I'll assume that the other machines
    > are using an IP in the 192.168.1.xxx range. I'll assume you're using the
    > DHCP server on the router to issue DHCP IP(s) to the computers on the
    > network, which are being kept in the DHCP table on the router so that you
    > can see them.
    >
    > The wireless side of your network could be hacked, the hacker could be using
    > a static IP of 192.168.1.255, your DHCP server is not issuing IP(s) out that
    > far so none of your machines are going to use that IP out that far. Static
    > IP(s) are are not kept in the router's DHCP table, so you can't see them in
    > use.
    >
    > So, there can be a machine that is using that IP wirelessly by a wireless
    > hacker.
    >
    > It's a possibility.


    I agree that the possibility is always present. However, the WiFi
    does use WEP, and the wireless interface is turned off most of the
    time. As well, the DSL side is disconnected when not in use.
    Finally, the modem shows all devices connected to it, and only the two
    known laptops show up..

  6. Re: Port 137/138 accesses within home network

    On Apr 20, 10:34 pm, "Steve Riley [MSFT]"
    wrote:
    > 192.168.1.255 is the broadcast address for the subnet 192.168.1.0/24
    > (192.168.1.xxx) -- in this case, your home network. It's highly unlikely
    > that there's an attacker on this address, because TCP/IP doesn't allow a
    > machine to be configured with an IP address the same as a broadcast address.
    > When a computer wants to send broadcast traffic to all other computers in
    > the subnet, it creates traffic with a destination address of that subnet's
    > broadcast address.
    >
    > So in this case, your computer is simply doing its normal thing in Windows
    > networking, using broadcasts to announce itself and discover other computers
    > nearby. It's nothing to worry about. Your DSL router won't be allowing these
    > to go beyond your home network.


    Thank you, Steve. I've allowed UDP's to/from 192.168.1.0/24, ports
    137-138.

    > steve.ri...@microsoft.comhttp://blogs.technet.com/sterileyhttp://www.protectyourwindowsnetwork.com
    >
    > "Mr. Arnold" wrote in messagenews:lb6dncc7YfGWPZbVnZ2dnUVZ_t-nnZ2d@earthlink.com...
    >
    >
    >
    > > "AndyHan****" wrote in message
    > >news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com...

    >
    > >> Aside for the advisability of the access rule, why would such accesses
    > >> be attempted to 192.168.1.255? There is nothing there.

    >
    > > The operative word here is *wireless*. I'll assume that the other
    > > machines are using an IP in the 192.168.1.xxx range. I'll assume you're
    > > using the DHCP server on the router to issue DHCP IP(s) to the computers
    > > on the network, which are being kept in the DHCP table on the router so
    > > that you can see them.

    >
    > > The wireless side of your network could be hacked, the hacker could be
    > > using a static IP of 192.168.1.255, your DHCP server is not issuing IP(s)
    > > out that far so none of your machines are going to use that IP out that
    > > far. Static IP(s) are are not kept in the router's DHCP table, so you
    > > can't see them in use.

    >
    > > So, there can be a machine that is using that IP wirelessly by a wireless
    > > hacker.

    >
    > > It's a possibility.



+ Reply to Thread