Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

is this an intrusion scan?

I've been consistantly getting 1000's of syslog messages (severity 3) like this:

106011 Deny inbound (No xlate) udp src outside:x.x.x.26/1025 dst outside:y.y.y.245/137

106011 Deny inbound (No xlate) udp src outside:x.x.x.26/1025 dst outside:y.y.y.163/137

106011 Deny inbound (No xlate) udp src outside:x.x.x.26/1025 dst outside:y.y.y.194/80

The outside source x.x.x.x address changes about every 5 hits. They are trying to reach my destination y.y.y.y addresses only on ports 137 and occationally port 80. The group of 5 hits are only a few seconds apart. And the next group hits about 5min to 10min later. Oh... the source addresses are real and PINGable. This has been going on for weeks. Any ideas on how to approach this? Thanks in advance.


Cisco Employee

Re: is this an intrusion scan?

Do you have an application that you want to serve to the Internet on port 137? It is the standard MS NetBIOS port. Chances are someone out there has a misconfigured Windows box that is pointed your way. If your security policy is to not allow NetBIOS connections from the Internet (a wise idea) I would put an ACL on your upstream router blocking all access to your network from the Internet at UDP port 137. I wouldn't even bother logging this at the router. Just drop it.

Technically UDP port 80 is assigned to HTTP/ Web traffic. If you don't have a web site served from your location you might want to investigate how many folks are trying to access via port 80. Does it associate at all with your users web browsing? And then maybe filter that too after you've looked at it trying to determine if it's just random scans. Be careful and listen for user feedback after blocking it though.

New Member

Re: is this an intrusion scan?

I don't have any servers that need NETBIOS access from the outside. Seems like they are randomly scanning my address range.... it's not limited to any particular inside IPs. I think blocking at the upstream router may do the trick by reducing the logs. Still, are there any thing I can do to trace the REAL source of the scan? Thanks for your earlier suggestion.