From owner-freebsd-security  Wed Oct 28 17:23:29 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA02762
          for freebsd-security-outgoing; Wed, 28 Oct 1998 17:23:29 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA02757
          for <security@freebsd.org>; Wed, 28 Oct 1998 17:23:26 -0800 (PST)
          (envelope-from patl@phoenix.volant.org)
From: patl@phoenix.volant.org
Received: from asimov.phoenix.volant.org ([205.179.79.65])
	by phoenix.volant.org with smtp (Exim 1.92 #8)
	id 0zYfoy-0002vX-00; Wed, 28 Oct 1998 16:20:13 -0800
Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4)
	id QAA12331; Wed, 28 Oct 1998 16:20:04 -0800
Date: Wed, 28 Oct 1998 16:20:04 -0800 (PST)
Reply-To: patl@phoenix.volant.org
Subject: Re: Cause of NetBIOS-NS requests from outside
To: Kenneth Ingham <ingham@i-pi.com>
cc: security@FreeBSD.ORG
In-Reply-To: <19981028171202.A4585@i-pi.com>
Message-ID: <ML-3.3.909620404.495.patl@asimov>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> On Wed, Oct 28, 1998 at 03:01:35PM -0800, patl@phoenix.volant.org wrote:
> > I've recently started logging more of the packets which are denied
> > by my filters.  Since then, I've noticed occasional bursts of UDP
> > packets aimed at the NetBIOS-NS port (137) on my primary server.
> > 
> > Is this more likely to be M$ brain-damage, or an attempted probe
> > by some script-kiddie?
> 
> M$ brain-damage.
> 
> I worked with one of the people who was bouncing off of my firewall one
> time.  If you are using WINS for anything, it tries to use it for
> everything.  I now ignore them, and really should tell the firewall to
> not even log them.

So it's probably trying to contact my DNS server via NetBIOS-NS
protocol?  I can easily understand how any local M$ machines
could be sending these packets to my servers; but what has me
puzzled is why an outside machine would try to contact my server
for WINS info.

This doesn't seem to be any real threat; and since it is much
more likely to be M$ brain-damage, I'll probably add a filter
rule to explicitly deny them without logging.  But I would like
to have a better understanding of the underlying reasons.  (That
is, reasons more specific than 'M$ is completely clueless'.)


-Pat

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message