Date: Mon, 4 Sep 2000 14:38:10 +0930 From: Greg Lehey <grog@lemis.com> To: Mike Meyer <mwm@mired.org> Cc: questions@FreeBSD.ORG Subject: Re: Self-initiated DOS? (was: signature?) Message-ID: <20000904143809.B456@wantadilla.lemis.com> In-Reply-To: <14771.10887.56293.866190@guru.mired.org>; from mwm@mired.org on Sun, Sep 03, 2000 at 11:52:23PM -0500 References: <25395295@toto.iv> <14770.39487.46522.546296@guru.mired.org> <20000904104918.B57161@wantadilla.lemis.com> <14771.10887.56293.866190@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday, 3 September 2000 at 23:52:23 -0500, Mike Meyer wrote: > Greg Lehey writes: >> On Sunday, 3 September 2000 at 13:36:47 -0500, Mike Meyer wrote: >>> groggy@iname.com writes: >>>>> It's not port UDP 68, it's netbios-ns; it's Windows boxs that like to do a >>>>> netbios nameserver lookup on whoever connections to them. MS assumed that >>>>> anything connecting to them "must" be a windows box and tries to log the >>>>> Netbios name of it.... these end up as mostly noise in firewall logs. >>>>> >>>>> I specifically disabled monitoring of UDP 137/138 in my own firewalls as the >>>>> number of stupid IIS servers that kept trying to find out the netbios name >>>>> of the squid proxies was filling the logs with useless information... >>>> this sounds good to me :) i figured it was some IIS crap ... >>>> i think my ISP recently replaced their SunOS and System V boxes >>>> with IIS servers - i know they renamed all their boxes - and that's >>>> when this problem started. it still bothers me that they have a right >>>> to clutter my connection with so much useless garbage! i mean, it does >>>> cause "stalls" on connections to my server since 10 seconds >>>> of every minute my connectin is jammed with this garbage ... >>>> it would be a hassle to change providers for many reasons, >>>> do i have any right to make them stop? :) i mean, it's >>>> almost a DOS attack, isn't it? :) >>> If you feel like it's a DOS (or some other form of) attack, then it >>> is. Treat it as one - as correctly as possible. Don't assume that they >>> are doing it on purpose, or even know that it's going on. Report it as >>> an attack that may be coming from somone having broken into their >>> systems, and ask them to deal with it. >> It's difficult to say "I'm having a denial of service attack, and it's >> coming from my machine" and be convincing. > > If that's in deed the case, you're right. But from the description > above, the IIS servers are doing queries they really have no business > doing. No, all the trace showed was two different systems querying a third one. One of them appears to be the local machine. Greg -- When replying to this message, please copy the original recipients. If you don't, I may ignore the reply. For more information, see http://www.lemis.com/questions.html Finger grog@lemis.com for PGP public key See complete headers for address and phone numbers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000904143809.B456>