From owner-freebsd-questions Sun Sep 3 21:52:29 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (zoom1-093.telepath.com [216.14.1.93]) by hub.freebsd.org (Postfix) with SMTP id 1A4FA37B422 for ; Sun, 3 Sep 2000 21:52:24 -0700 (PDT) Received: (qmail 25437 invoked by uid 100); 4 Sep 2000 04:52:23 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14771.10887.56293.866190@guru.mired.org> Date: Sun, 3 Sep 2000 23:52:23 -0500 (CDT) To: Greg Lehey Cc: questions@FreeBSD.ORG Subject: Re: Self-initiated DOS? (was: signature?) In-Reply-To: <20000904104918.B57161@wantadilla.lemis.com> References: <25395295@toto.iv> <14770.39487.46522.546296@guru.mired.org> <20000904104918.B57161@wantadilla.lemis.com> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Greg Lehey writes: > On Sunday, 3 September 2000 at 13:36:47 -0500, Mike Meyer wrote: > > groggy@iname.com writes: > >>> It's not port UDP 68, it's netbios-ns; it's Windows boxs that like to do a > >>> netbios nameserver lookup on whoever connections to them. MS assumed that > >>> anything connecting to them "must" be a windows box and tries to log the > >>> Netbios name of it.... these end up as mostly noise in firewall logs. > >>> > >>> I specifically disabled monitoring of UDP 137/138 in my own firewalls as the > >>> number of stupid IIS servers that kept trying to find out the netbios name > >>> of the squid proxies was filling the logs with useless information... > >> this sounds good to me :) i figured it was some IIS crap ... > >> i think my ISP recently replaced their SunOS and System V boxes > >> with IIS servers - i know they renamed all their boxes - and that's > >> when this problem started. it still bothers me that they have a right > >> to clutter my connection with so much useless garbage! i mean, it does > >> cause "stalls" on connections to my server since 10 seconds > >> of every minute my connectin is jammed with this garbage ... > >> it would be a hassle to change providers for many reasons, > >> do i have any right to make them stop? :) i mean, it's > >> almost a DOS attack, isn't it? :) > > If you feel like it's a DOS (or some other form of) attack, then it > > is. Treat it as one - as correctly as possible. Don't assume that they > > are doing it on purpose, or even know that it's going on. Report it as > > an attack that may be coming from somone having broken into their > > systems, and ask them to deal with it. > It's difficult to say "I'm having a denial of service attack, and it's > coming from my machine" and be convincing. If that's in deed the case, you're right. But from the description above, the IIS servers are doing queries they really have no business doing. On the other hand, that's no worse than the far-to-common apache server that does ident queries.