From owner-freebsd-security  Wed Oct 28 20:05:59 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA25447
          for freebsd-security-outgoing; Wed, 28 Oct 1998 20:05:59 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA25435
          for <security@freebsd.org>; Wed, 28 Oct 1998 20:05:57 -0800 (PST)
          (envelope-from patl@phoenix.volant.org)
From: patl@phoenix.volant.org
Received: from asimov.phoenix.volant.org ([205.179.79.65])
	by phoenix.volant.org with smtp (Exim 1.92 #8)
	id 0zYjLJ-0004ko-00; Wed, 28 Oct 1998 20:05:49 -0800
Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4)
	id UAA12398; Wed, 28 Oct 1998 20:05:43 -0800
Date: Wed, 28 Oct 1998 20:05:43 -0800 (PST)
Reply-To: patl@phoenix.volant.org
Subject: Re: Cause of NetBIOS-NS requests from outside
To: Nate Williams <nate@mt.sri.com>
cc: security@FreeBSD.ORG
In-Reply-To: <199810290355.UAA14862@mt.sri.com>
Message-ID: <ML-3.3.909633943.1367.patl@asimov>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > > > I've recently started logging more of the packets which are denied
> > > > by my filters.  Since then, I've noticed occasional bursts of UDP
> > > > packets aimed at the NetBIOS-NS port (137) on my primary server.
> > > > 
> > > > Is this more likely to be M$ brain-damage, or an attempted probe
> > > > by some script-kiddie?
> > > 
> > > M$ brain-damage.
> ...
> > So it's probably trying to contact my DNS server via NetBIOS-NS
> > protocol?
> 
> Nope, it's doing a 'broadcast' on port 137,

If it's doing a broadcast, why is the destination address the IP
address of my server instead of one of the broadcast addresses
for my network?  Or is this Micro$oft's definition of 'broadcast'?

>                                             and it may have even gotten
> a reponse from a machine inside your network, depending on how you have
> your firewall setup.

Hmm.  Maybe at some point in the past; but I've been blocking them
for several weeks now.



-Pat

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message