Date: Sun, 3 Sep 2000 23:52:23 -0500 (CDT) From: Mike Meyer <mwm@mired.org> To: Greg Lehey <grog@lemis.com> Cc: questions@FreeBSD.ORG Subject: Re: Self-initiated DOS? (was: signature?) Message-ID: <14771.10887.56293.866190@guru.mired.org> In-Reply-To: <20000904104918.B57161@wantadilla.lemis.com> References: <25395295@toto.iv> <14770.39487.46522.546296@guru.mired.org> <20000904104918.B57161@wantadilla.lemis.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Greg Lehey writes: > On Sunday, 3 September 2000 at 13:36:47 -0500, Mike Meyer wrote: > > groggy@iname.com writes: > >>> It's not port UDP 68, it's netbios-ns; it's Windows boxs that like to do a > >>> netbios nameserver lookup on whoever connections to them. MS assumed that > >>> anything connecting to them "must" be a windows box and tries to log the > >>> Netbios name of it.... these end up as mostly noise in firewall logs. > >>> > >>> I specifically disabled monitoring of UDP 137/138 in my own firewalls as the > >>> number of stupid IIS servers that kept trying to find out the netbios name > >>> of the squid proxies was filling the logs with useless information... > >> this sounds good to me :) i figured it was some IIS crap ... > >> i think my ISP recently replaced their SunOS and System V boxes > >> with IIS servers - i know they renamed all their boxes - and that's > >> when this problem started. it still bothers me that they have a right > >> to clutter my connection with so much useless garbage! i mean, it does > >> cause "stalls" on connections to my server since 10 seconds > >> of every minute my connectin is jammed with this garbage ... > >> it would be a hassle to change providers for many reasons, > >> do i have any right to make them stop? :) i mean, it's > >> almost a DOS attack, isn't it? :) > > If you feel like it's a DOS (or some other form of) attack, then it > > is. Treat it as one - as correctly as possible. Don't assume that they > > are doing it on purpose, or even know that it's going on. Report it as > > an attack that may be coming from somone having broken into their > > systems, and ask them to deal with it. > It's difficult to say "I'm having a denial of service attack, and it's > coming from my machine" and be convincing. If that's in deed the case, you're right. But from the description above, the IIS servers are doing queries they really have no business doing. On the other hand, that's no worse than the far-to-common apache server that does ident queries. <mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14771.10887.56293.866190>