Port 137/138 accesses within home network

A few newly installed applications required a modification of firewall
rules, which prompted me to clean up the convolution of rules that
I've amassed over the years. Afterward, I started to get regular
outbound UDP connections from "SYSTEM" to 192.168.1.255, ports
137-138. Much web searching ensued. It could be bad (http://
www.linklogger.com/UDP137.htm) or just IP/name resolutions (http://
www.iss.net/security_center/advice/Exploits/Ports/137/default.htm and
others).

This is a very simple home network, consisting of a DSL modem/router,
and zero to two laptops connected via LAN cable to WiFi (either
Windows 2000 or WindowsXP). One page visited was
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017. It
looks like it was meant for non-home IT folk, possibly with a degree
in the area.

For the schmoe home user, what is the advisability of allowing such
accesses to addresses within the home network? A bit of rummaging
turns up RFC 1918, which says what such address ranges are. In my
case, it seems to be the 16-bit block at 192.168.xxx.yyy. Laptops on
this "network" are likely to be installed with standard security
applications (firewall, AV, Spybot Search&Destroy).

Aside for the advisability of the access rule, why would such accesses
be attempted to 192.168.1.255? There is nothing there.

Mr
Sun Apr 20 14:56:58 CDT 2008


"AndyHancock" <AndyMHancock@gmail.com> wrote in message
news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com...

> Aside for the advisability of the access rule, why would such accesses
> be attempted to 192.168.1.255? There is nothing there.

The operative word here is *wireless*. I'll assume that the other machines
are using an IP in the 192.168.1.xxx range. I'll assume you're using the
DHCP server on the router to issue DHCP IP(s) to the computers on the
network, which are being kept in the DHCP table on the router so that you
can see them.

The wireless side of your network could be hacked, the hacker could be using
a static IP of 192.168.1.255, your DHCP server is not issuing IP(s) out that
far so none of your machines are going to use that IP out that far. Static
IP(s) are are not kept in the router's DHCP table, so you can't see them in
use.

So, there can be a machine that is using that IP wirelessly by a wireless
hacker.

It's a possibility.

Sebastian
Sun Apr 20 14:58:43 CDT 2008

AndyHancock wrote:

> Laptops on this "network" are likely to be installed with standard
> security applications (firewall, AV, Spybot Search&Destroy).


So they're likely to be compromised.

Steve
Sun Apr 20 21:34:16 CDT 2008

192.168.1.255 is the broadcast address for the subnet 192.168.1.0/24
(192.168.1.xxx) -- in this case, your home network. It's highly unlikely
that there's an attacker on this address, because TCP/IP doesn't allow a
machine to be configured with an IP address the same as a broadcast address.
When a computer wants to send broadcast traffic to all other computers in
the subnet, it creates traffic with a destination address of that subnet's
broadcast address.

So in this case, your computer is simply doing its normal thing in Windows
networking, using broadcasts to announce itself and discover other computers
nearby. It's nothing to worry about. Your DSL router won't be allowing these
to go beyond your home network.

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Mr. Arnold" <MR. Arnold@Arnold.com> wrote in message
news:lb6dncc7YfGWPZbVnZ2dnUVZ_t-nnZ2d@earthlink.com...
>
> "AndyHancock" <AndyMHancock@gmail.com> wrote in message
> news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com...
>
>> Aside for the advisability of the access rule, why would such accesses
>> be attempted to 192.168.1.255? There is nothing there.
>
> The operative word here is *wireless*. I'll assume that the other
> machines are using an IP in the 192.168.1.xxx range. I'll assume you're
> using the DHCP server on the router to issue DHCP IP(s) to the computers
> on the network, which are being kept in the DHCP table on the router so
> that you can see them.
>
> The wireless side of your network could be hacked, the hacker could be
> using a static IP of 192.168.1.255, your DHCP server is not issuing IP(s)
> out that far so none of your machines are going to use that IP out that
> far. Static IP(s) are are not kept in the router's DHCP table, so you
> can't see them in use.
>
> So, there can be a machine that is using that IP wirelessly by a wireless
> hacker.
>
> It's a possibility.
>
>
>

AndyHancock
Sun Apr 20 22:25:21 CDT 2008

On Apr 20, 3:56 pm, "Mr. Arnold" <MR. Arn...@Arnold.com> wrote:
> "AndyHancock" <AndyMHanc...@gmail.com> wrote in message
>
> news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com...
>
> > Aside for the advisability of the access rule, why would such accesses
> > be attempted to 192.168.1.255? There is nothing there.
>
> The operative word here is *wireless*. I'll assume that the other machines
> are using an IP in the 192.168.1.xxx range. I'll assume you're using the
> DHCP server on the router to issue DHCP IP(s) to the computers on the
> network, which are being kept in the DHCP table on the router so that you
> can see them.
>
> The wireless side of your network could be hacked, the hacker could be using
> a static IP of 192.168.1.255, your DHCP server is not issuing IP(s) out that
> far so none of your machines are going to use that IP out that far. Static
> IP(s) are are not kept in the router's DHCP table, so you can't see them in
> use.
>
> So, there can be a machine that is using that IP wirelessly by a wireless
> hacker.
>
> It's a possibility.

I agree that the possibility is always present. However, the WiFi
does use WEP, and the wireless interface is turned off most of the
time. As well, the DSL side is disconnected when not in use.
Finally, the modem shows all devices connected to it, and only the two
known laptops show up..

AndyHancock
Sun Apr 20 22:47:25 CDT 2008

On Apr 20, 10:34 pm, "Steve Riley [MSFT]" <steve.ri...@microsoft.com>
wrote:
> 192.168.1.255 is the broadcast address for the subnet 192.168.1.0/24
> (192.168.1.xxx) -- in this case, your home network. It's highly unlikely
> that there's an attacker on this address, because TCP/IP doesn't allow a
> machine to be configured with an IP address the same as a broadcast address.
> When a computer wants to send broadcast traffic to all other computers in
> the subnet, it creates traffic with a destination address of that subnet's
> broadcast address.
>
> So in this case, your computer is simply doing its normal thing in Windows
> networking, using broadcasts to announce itself and discover other computers
> nearby. It's nothing to worry about. Your DSL router won't be allowing these
> to go beyond your home network.

Thank you, Steve. I've allowed UDP's to/from 192.168.1.0/24, ports
137-138.

> steve.ri...@microsoft.comhttp://blogs.technet.com/sterileyhttp://www.protectyourwindowsnetwork.com
>
> "Mr. Arnold" <MR. Arn...@Arnold.com> wrote in messagenews:lb6dncc7YfGWPZbVnZ2dnUVZ_t-nnZ2d@earthlink.com...
>
>
>
> > "AndyHancock" <AndyMHanc...@gmail.com> wrote in message
> >news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com...
>
> >> Aside for the advisability of the access rule, why would such accesses
> >> be attempted to 192.168.1.255? There is nothing there.
>
> > The operative word here is *wireless*. I'll assume that the other
> > machines are using an IP in the 192.168.1.xxx range. I'll assume you're
> > using the DHCP server on the router to issue DHCP IP(s) to the computers
> > on the network, which are being kept in the DHCP table on the router so
> > that you can see them.
>
> > The wireless side of your network could be hacked, the hacker could be
> > using a static IP of 192.168.1.255, your DHCP server is not issuing IP(s)
> > out that far so none of your machines are going to use that IP out that
> > far. Static IP(s) are are not kept in the router's DHCP table, so you
> > can't see them in use.
>
> > So, there can be a machine that is using that IP wirelessly by a wireless
> > hacker.
>
> > It's a possibility.