j k wrote: > > hi pple, well the reason why i ask this is because, recently i > was told by my network manager that there is a virus which uses > netbios (udp 137, tcp 138 and tcp 139) as a transport and had > acrosses the WAN from a spoke site to a hub site.
The NetBIOS ports are infamous targets for hackers and viruses. Yes, definitely close them up. > And i was > told to put an ACL by blocking the above port on the > fastethernet interface, well i was kind of confuse as in, i > remember that netbios arnt routable across the WAN, IF, and i > mean IF there is really such virus uses this ports, they > shouldnt be able to traverse to the other site across the WAN > rite?? Yes, they can traverse. They are carried in IP, so of course, they are routable. But the packets to UDP port 137 are usually broadcasts, and so they don't traverse without a helper address. > And when i did some debug ip packet, the udp 136 and or > ofcourse the tcp138 and 139, was captured and dropped! at the > fastethernet interface and TR interface (i had place the ACL on > both fastether and TR) but when i place it on the serial, i dun > see any udp 136 at all!...i jus need some clarification from > people at this forum here 136 is a typo? If the broadcast packets using port 137 don't get through, perhaps you won't see the 138 and 139. The session establishment won't work if the broadcasts don't work first. I would still block it. It can't hurt. They are infamous. And, of course it is routable. If you've read enough networking material to have heard that NetBIOS isn't routable then you must have some idea of what UDP and TCP do and what they run above and one of the main jobs of that protocol!?! Sorry, getting GRUMPY again. :-) Priscilla > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71269&t=71084 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
