From owner-freebsd-questions Sun Sep 3 11:37:28 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (zoom2-087.telepath.com [216.14.2.87]) by hub.freebsd.org (Postfix) with SMTP id 600D337B422 for ; Sun, 3 Sep 2000 11:37:23 -0700 (PDT) Received: (qmail 13352 invoked by uid 100); 3 Sep 2000 18:36:47 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14770.39487.46522.546296@guru.mired.org> Date: Sun, 3 Sep 2000 13:36:47 -0500 (CDT) To: groggy@iname.com Cc: questions@freebsd.org Subject: Re: signature? In-Reply-To: <25395295@toto.iv> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG groggy@iname.com writes: > > It's not port UDP 68, it's netbios-ns; it's Windows boxs that like to do a > > netbios nameserver lookup on whoever connections to them. MS assumed that > > anything connecting to them "must" be a windows box and tries to log the > > Netbios name of it.... these end up as mostly noise in firewall logs. > > > > I specifically disabled monitoring of UDP 137/138 in my own firewalls as the > > number of stupid IIS servers that kept trying to find out the netbios name > > of the squid proxies was filling the logs with useless information... > this sounds good to me :) i figured it was some IIS crap ... > i think my ISP recently replaced their SunOS and System V boxes > with IIS servers - i know they renamed all their boxes - and that's > when this problem started. it still bothers me that they have a right > to clutter my connection with so much useless garbage! i mean, it does > cause "stalls" on connections to my server since 10 seconds > of every minute my connectin is jammed with this garbage ... > it would be a hassle to change providers for many reasons, > do i have any right to make them stop? :) i mean, it's > almost a DOS attack, isn't it? :) If you feel like it's a DOS (or some other form of) attack, then it is. Treat it as one - as correctly as possible. Don't assume that they are doing it on purpose, or even know that it's going on. Report it as an attack that may be coming from somone having broken into their systems, and ask them to deal with it.