Educause Security Discussion mailing list archives
Re: Proliferation of NBT queries
From: Curt Wilson <curtw () SIU EDU>
Date: Thu, 1 Oct 2009 15:10:09 -0500
I've seen so much port 137 traffic over the years, it's so chatty and so common that I've become desensitized to its presence. I don't recall much, if any actual malicious activity that correlated to it's presence. What's in the query? do you have data in your lmhosts files on those boxen that might be triggering an NBNS lookup? are the hosts trying to resolve a name that's failing other queries (DNS, etc) and then resorting to NetBIOS name service? If it's important enough to get to the bottom of, I'd grab some pcaps from the originating boxen and analyze them with wireshark or equivalent, and try to correlate that with specific activity on the boxes. But it doesn't sound like a security related issue, based on what you are saying. You also might want to put a debugger such as Olly debugger on Bonjour/iTunes and run something like the Olly socket trace plugin to enumerate what it's doing on the network. I'm not sure if it isn't just calling other windows functions that are doing the actual traffic origination though, you'll have to see. In that case you'd have to dig a little deeper and it might not be worth the effort. http://reversengineering.wordpress.com/2008/08/23/olly-sockettrace-10/ Dennis Bohn wrote:
We have been seeing some odd traffic on the network, and wanted to see if anyone else has noticed this. About three weeks ago, we started seeing a large volume of NBT queries (udp port 137) to our DHCP servers. Certain machines do this repeatedly, 30-60 times a minute. Oddly, our DHCP servers are Linux. As things evolved, we discovered that the machines doing the queries had autoconfigured printers that had been shared (inadvertently) on other Windows boxen. We have not proved, but have a high index of suspicion that it is Itunes/Bonjour that is discovering and autoconfiguring the printers. We can't be certain that machines weren't previously using the DHCP servers for NBT queries; it may have been at a low level and gone unnoticed. So, there are two issues: 1) Has anyone else seen PC-shared printers become autoconfigured on another PC? 2) We still have no idea why the machines are querying the DHCP servers, the Windows boxes still show no WINS server. Have googled, and the DHCP server is not the documented search order for Microsoft machines. Best, dennis Dennis Bohn network manager 5168773327
-- Curt Wilson SIUC IT Security Officer & Security Engineer
Current thread:
- Proliferation of NBT queries Dennis Bohn (Oct 01)
- <Possible follow-ups>
- Re: Proliferation of NBT queries Curt Wilson (Oct 01)