Port 137 flooding - Any ideas?

taenzerme · May 26, 2015, 8:19 PM

Hi all,

we're running into issues with our network beeing flooded by these packages without any reason:


14:00:07.973893 0e:4a:34:17:b4:0c > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 67: 92.xx.xxx.x > 192.168.10.2: ICMP 192.168.10.164 udp port 137 unreachable, length 33
14:00:07.974008 0e:4a:34:17:b4:0c > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 67: 92.xx.xxx.x > 192.168.10.2: ICMP 192.168.10.164 udp port 137 unreachable, length 33
14:00:07.974045 00:05:cd:2a:11:bc > b8:ff:61:39:10:56, ethertype IPv4 (0x0800), length 67: 92.xx.xxx.x > 192.168.10.2: ICMP 192.168.10.164 udp port 137 unreachable, length 33

(from tcpdump -nei vtnet0/vtnet1)

It doesn't matter which interface I use - the packages are on all interfaces.
Disabling the vtnet0 (WAN) if and re-enabling it stops the packages.

Any ideas where to look?

Best
Sebastian

MaxPF · May 26, 2015, 6:59 PM

It's normal if you have Windows machines on your network

http://www.iss.net/security_center/advice/Exploits/Ports/137/default.htm

taenzerme · May 26, 2015, 7:02 PM

The thing is - it happens from time to time only and make the whole network completely unuseable. The traffic is on all ports and blocking all devices. Network bandwidth on every port is down to 3-4 Mbit/s. I then disable the WAN port inside the pfSense and re-enable it - no more packages, troughput back to normal.

We don't have any Windows servers on our network except one Windows 7 VM running on another Proxmox host.

KOM · May 26, 2015, 8:32 PM

What are these IPs, your WAN, your LAN and some other thing at .164?

92.xx.xx.xx => Your WAN?

192.168.10.2 => Your LAN?

192.168.10.164 => ???

Some kind of NetBIOS storm coming in from WAN? That doesn't make sense to me.

Please provide more detail about your network, as well as screens of your WAN and LAN rules.

taenzerme · May 26, 2015, 8:42 PM

92.xx.xxx.x is one of our public wan ips
192.168.10.xxx is LAN
192.168.10.164 at that time was an old iPad 1 configured with .164 by an static dhcp lease.

Setup:

AVM FritzBox 6360 Cable acting as cable modem/gateway configured with static WAN IPs => Proxmox VM Host => pfSense VM vtnet1
LAN => Proxmox VM Host => pfSense VM vtnet0

![Screenshot 2015-05-26 22.25.37.png](/public/imported_attachments/1/Screenshot 2015-05-26 22.25.37.png)
![Screenshot 2015-05-26 22.25.37.png_thumb](/public/imported_attachments/1/Screenshot 2015-05-26 22.25.37.png_thumb)
![Screenshot 2015-05-26 22.25.58.png](/public/imported_attachments/1/Screenshot 2015-05-26 22.25.58.png)
![Screenshot 2015-05-26 22.25.58.png_thumb](/public/imported_attachments/1/Screenshot 2015-05-26 22.25.58.png_thumb)

KOM · May 27, 2015, 1:29 PM

Hmm. How often does this happen? Is it always directed to that one IP address for your iPad, or random? The originating device has an OUI owned by Denon for what it's worth.

taenzerme · May 27, 2015, 1:34 PM

Happens once a week or so.
Target IPs are random through the whole network.

Interesting, we have a Denon network AV in the meeting room.

I'll have a look into that as that one in fact has been acting very strange for a while (getting hot, not reacting, not reachable in network).

Bonsai · May 27, 2015, 4:17 PM

A lot of devices with LINUX OS have samba installations (client or server) Videconference systems, that are able to browse windows network shares for example. Such devices could also flood ports like 137/138/445

johnpoz · May 27, 2015, 4:38 PM

If you have problems with dns you will also see traffic to 137, even broadcast looking for stuff from windows clients. Window machines will try stupid stuff to try and resolve ;)

example - see the directed broadcasts asking for imgur.com and bbc.co.uk

What exact interface are you seeing this on? I would do your sniffs again but this time download and open them up in wireshark to gets better info on what exactly is going on. That looks like something asked for something on 137 and got told by whatever saw the traffic that that port is not open via icmp

http://www.networksorcery.com/enp/protocol/icmp/msg3.htm

Is that your isp gateway saying hey you can not talk to port 137? Are you sending out the traffic to the internet. I don't see how your public IP should be seeing traffic from your lan IPs.. Could you draw up your network and how your lan is connected to pfsense, etc. Do you have vlans with a switch?

Pfsense shouldn't be sending out icmp redirects, not with block rules. Do you have reject rules setup?

Bonsai · May 27, 2015, 4:50 PM

Yeah, it is generally important that traffic on ports 137/138 and 445 never leave the WAN interface to your ISP, as this also opens some holes in the firewall…..

I just had here the case, that in my test environment my WAN interface was in productive LAN. In my test LAN behind the pfsense I was able to browse the shares outside of my WAN interface ;D Incoming traffic was blocked at all, except 443 to pfsense.
So if your computers talk to the computers outside in internet .... they answer. You may not like all these answers ;-D And the firewall will let the answer through .... as your LAN computer opened the session.