From owner-freebsd-security  Thu Oct 29 12:10:21 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA14658
          for freebsd-security-outgoing; Thu, 29 Oct 1998 12:10:21 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14652
          for <security@freebsd.org>; Thu, 29 Oct 1998 12:10:18 -0800 (PST)
          (envelope-from patl@phoenix.volant.org)
From: patl@phoenix.volant.org
Received: from asimov.phoenix.volant.org ([205.179.79.65])
	by phoenix.volant.org with smtp (Exim 1.92 #8)
	id 0zYyOd-0003hD-00; Thu, 29 Oct 1998 12:10:15 -0800
Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4)
	id MAA13072; Thu, 29 Oct 1998 12:10:11 -0800
Date: Thu, 29 Oct 1998 12:10:11 -0800 (PST)
Reply-To: patl@phoenix.volant.org
Subject: Re: Cause of NetBIOS-NS requests from outside
To: Marty Cawthon <mrc@ChipChat.com>
cc: security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.95LJ1.1b3.981029194717.19123J-100000@Piman-Orange.ChipChat.com>
Message-ID: <ML-3.3.909691811.524.patl@asimov>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>   I run an OS/2 Warp Server Network, a derivative of LAN Manager, and so
> common ancestry with Microsoft Networks. This network uses NetBIOS
> and "NetBIOS over TCP/IP" (TCPBeui). The TCPBeui sounds to be the same
> as that described above and in related messages.
> 
>   To get the TCPBeui to work properly it was required to add the
> Warp-Server IP addresses to a "Broadcast" list.  At first I setup the
> network with true IP subnet broadcast addresses in that file.
> 
>   When I had trouble, IBM support advised me to specifically add the
> Warp-Server IP addresses to the Broadcast list. This resulted in the
> TCPBeui network functioning properly.
> 
>  I don't understand the details of why/how, but submit this information
> in response to the "broadcast theories/explicit server address" comment
> above.  It may be that the true story about the behavior you see may
> include "specific destination addresses in a broadcast list".

Not likely in this case, since my server is a FreeBSD box that has
never offered any NetBIOS services; and the packets in question are
coming from outside my network.  (I.e., There is absolutely no legitimate
reason why the machine sending the packets should have been configured
with my server's IP address listed as -any- server.)

I think it is much more likely that they are doing a DNS resolution
from my DNS server; and then attempting to obtain a 'Windows' name
for the host via NetBIOS-NS, also from my DNS server.


-Pat

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message