Educause Security Discussion mailing list archives
Proliferation of NBT queries
From: Dennis Bohn <BOHN () ADELPHI EDU>
Date: Thu, 1 Oct 2009 09:39:04 -0400
We have been seeing some odd traffic on the network, and wanted to see if anyone else has noticed this. About three weeks ago, we started seeing a large volume of NBT queries (udp port 137) to our DHCP servers. Certain machines do this repeatedly, 30-60 times a minute. Oddly, our DHCP servers are Linux. As things evolved, we discovered that the machines doing the queries had autoconfigured printers that had been shared (inadvertently) on other Windows boxen. We have not proved, but have a high index of suspicion that it is Itunes/Bonjour that is discovering and autoconfiguring the printers. We can't be certain that machines weren't previously using the DHCP servers for NBT queries; it may have been at a low level and gone unnoticed. So, there are two issues: 1) Has anyone else seen PC-shared printers become autoconfigured on another PC? 2) We still have no idea why the machines are querying the DHCP servers, the Windows boxes still show no WINS server. Have googled, and the DHCP server is not the documented search order for Microsoft machines. Best, dennis Dennis Bohn network manager 5168773327
Current thread:
- Proliferation of NBT queries Dennis Bohn (Oct 01)
- <Possible follow-ups>
- Re: Proliferation of NBT queries Curt Wilson (Oct 01)