Date: Thu, 22 Feb 2001 02:27:20 -0500 (EST) From: "Michael Richards" <michael@fastmail.ca> To: cjclark@reflexnet.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Odd firewall messages Message-ID: <3A94BF58.000023.66147@frodo.searchcanada.ca>
next in thread | raw e-mail | index | archive | help
--------------Boundary-00=_K1E5E1IZ5BZNTT4D7TH0
Content-Type: Text/Plain
Content-Transfer-Encoding: 7bit
>> Anyone have any wisdom when it comes to decoding what I'm seeing
>> here?
>
> That is the NetBIOS garbage that WinXX machines chatter with. You
> redacted the destination IPs, were they broadcast addresses? Those
> are NetBIOS name resolution packets. They could be hostile, but by
> far the most probable scenario is someone with a misconfigured
> network is leaking them. You would not happen to be living off of
> a public broadcast domain?
These were not broadcast addresses. In fact, some of the IPs were not
even used. I assumed it was some sort of scanning but was not able to
figure out how they were getting answers. It seems odd that providers
would not filter outgoing packets if they are coming from IPs that
don't belong to the ISP. We are hooked up directly to the core router
at our service provider. No public or broadcast happening with us.
The 137 seems to point to NetBIOS but there are others such as:
21/02/2001 10:54:22.184764 xl1 @0:6 b 10.3.0.146,1957 -> x.x.x.x,80
PR tcp len 20 11264 -S IN
That are hitting the webserver of our busiest server.
I guess it's probably nothing to worry about.
-Michael
_________________________________________________________________
http://fastmail.ca/ - Fast Free Web Email for Canadians
--------------Boundary-00=_K1E5E1IZ5BZNTT4D7TH0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A94BF58.000023.66147>