Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
2
Replies

is this an intrusion scan?

chuck007
Level 1
Level 1

‎11-07-2002 10:57 AM - edited ‎03-09-2019 12:59 AM

I've been consistantly getting 1000's of syslog messages (severity 3) like this:

106011 Deny inbound (No xlate) udp src outside:x.x.x.26/1025 dst outside:y.y.y.245/137

106011 Deny inbound (No xlate) udp src outside:x.x.x.26/1025 dst outside:y.y.y.163/137

106011 Deny inbound (No xlate) udp src outside:x.x.x.26/1025 dst outside:y.y.y.194/80

The outside source x.x.x.x address changes about every 5 hits. They are trying to reach my destination y.y.y.y addresses only on ports 137 and occationally port 80. The group of 5 hits are only a few seconds apart. And the next group hits about 5min to 10min later. Oh... the source addresses are real and PINGable. This has been going on for weeks. Any ideas on how to approach this? Thanks in advance.

--Chuck

Labels:
0 Helpful
2 Replies 2

brford
Cisco Employee
Cisco Employee

‎11-07-2002 01:36 PM

Do you have an application that you want to serve to the Internet on port 137? It is the standard MS NetBIOS port. Chances are someone out there has a misconfigured Windows box that is pointed your way. If your security policy is to not allow NetBIOS connections from the Internet (a wise idea) I would put an ACL on your upstream router blocking all access to your network from the Internet at UDP port 137. I wouldn't even bother logging this at the router. Just drop it.

Technically UDP port 80 is assigned to HTTP/ Web traffic. If you don't have a web site served from your location you might want to investigate how many folks are trying to access via port 80. Does it associate at all with your users web browsing? And then maybe filter that too after you've looked at it trying to determine if it's just random scans. Be careful and listen for user feedback after blocking it though.

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.
0 Helpful

chuck007
Level 1
Level 1
In response to brford

‎11-07-2002 02:01 PM

I don't have any servers that need NETBIOS access from the outside. Seems like they are randomly scanning my address range.... it's not limited to any particular inside IPs. I think blocking at the upstream router may do the trick by reducing the logs. Still, are there any thing I can do to trace the REAL source of the scan? Thanks for your earlier suggestion.

--CD

0 Helpful
Customers Also Viewed These Support Documents