Security Basics mailing list archives
NetBIOS Messenger spam - how did it get in?
From: Damon McMahon <inst_karma () hotmail com>
Date: 25 Oct 2002 09:36:09 -0000
Greetings, The gateway host of my small workgroup has just become a 'victim' of the recent spate of SPAM using the NetBIOS Messenger Service. However, I'm seeking advice on how it managed to get through what I thought was a reasonably secure gateway. The gateway is a Windows 2000 host which connects to the internet via an external IP dynamically assigned by my ISP, and to an internal network via a 192.168.0.0/24 IP assigned by the Windows Internet Connection Sharing service. I have ZoneAlarm Pro installed on the gateway, which allows NetBIOS traffic over the 192.168.0.0/24 subnet but rejects NetBIOS traffic from any other IP. This rule is explicitly defined in the ZA Pro configuration, and appears to be working as the ZA Pro logs are full of rejected packets from internet IPs attempting to access NetBIOS ports on the host.
From what I understand, such a firewall configuration
should discard any traffic to ports 135, 137-139 from any hosts not on the internal network. Clearly there has been a breach. The only possible explanation I can conceive is that the source of the NetBIOS message spoofed it's IP address to be in the 192.168.0.0/24 range: 1. Is this possible? I would have thought any packet with such a spoofed IP address would be deemed non-routable by any of the routers between the source host and mine, and hence would never make it to my host? 2. If this is possible, is there any inexpensive [preferably free!] method of configuring Windows 2000 (with or without ZA Pro) to filter packets on the basis of interface as well as IP address? For example, BSD variants come with an inbuilt firewall called ipfw which enables you to construct a rule denying all packets with an address 192.168.0.0/24 from passing via the external interface, while allowing such packets to pass via the internal interface. 3. Are there any other explanations for this intrusion? Any advice will be most appreciated. Please email me on inst_karma A T hotmail D O T com if you require more detailed information.
Current thread:
- NetBIOS Messenger spam - how did it get in? Damon McMahon (Oct 28)
- RE: NetBIOS Messenger spam - how did it get in? Jason Coombs (Oct 29)
- RE: NetBIOS Messenger spam - how did it get in? Daniel Miessler (Oct 30)
- Re: NetBIOS Messenger spam - how did it get in? stef (Oct 31)
- RE: NetBIOS Messenger spam - how did it get in? Daniel Miessler (Oct 30)
- RE: NetBIOS Messenger spam - how did it get in? Jef Feltman (Oct 30)
- <Possible follow-ups>
- Re: NetBIOS Messenger spam - how did it get in? Chris Berry (Oct 29)
- Re: NetBIOS Messenger spam - how did it get in? Shayla Anthony (Oct 29)
- RE: NetBIOS Messenger spam - how did it get in? Damon McMahon (Oct 31)
- RE: NetBIOS Messenger spam - how did it get in? Jason Coombs (Oct 29)