Security Incidents mailing list archives
NetBIOS info
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Tue, 21 Mar 2000 18:13:20 -0800
I've added a couple of pages worth of text to my firewall forensics document in order to discuss the NetBIOS stuff. http://www.robertgraham.com/pubs/firewall-seen.html#netbios Some recent questions on this list that I've tried to address in the above document are: Q: I've seen a lot more lately. A: Over the past year, Windows products that do reverse lookups have become more popular. Also, you may have misconfigured your DNS. Q: What is the exact specifics of the packets (length, etc.)? A: I've put a complete packet dump into the doc. Q: But my site doesn't run any form of NetBIOS or Windows... A: ...but it has IP addresses, which is all the Windows clients care about. In any event, it's not a TCP/IP thing, it's a Windows thing. Q: ...Internet Explorer... A: I believe that Internet Explorer doesn't do reverse queries; it's something else. Q: ...bandwidth... A: Actually, less than the DNS queries that usually precede the NetBIOS queries. In any event, if you are seeing a lot of these queries, you should immediately suspect your DNS servers. Windoze only sends the NetBIOS packet if the DNS fails. In other words, the "cause" of a lot of NetBIOS traffic is faulty DNS. See the section: http://www.robertgraham.com/pubs/firewall-seen.html#10.6 Robert Graham
Current thread:
- Odd UPD scan David Meissner (Mar 15)
- Re: Odd UPD scan Bill Pennington (Mar 16)
- Re: Odd UPD scan Graeme Fowler (Mar 20)
- Re: Odd UPD scan Grzegorz Janoszka (Mar 17)
- <Possible follow-ups>
- Re: Odd UPD scan Randy Mclean (Mar 17)
- Re: Odd UPD scan Rainer Weikusat (Mar 17)
- Re: Odd UPD scan Bill Pennington (Mar 20)
- Re: Odd UPD scan Pavel Kankovsky (Mar 21)
- NetBIOS info Robert Graham (Mar 21)
- Re: NetBIOS info Bill Pennington (Mar 22)
- Strange probe Stuart Staniford-Chen (Mar 24)
- Re: NetBIOS info Robert Graham (Mar 27)
- Syn scans to 4045 Joey McAlerney (Mar 27)
- Re: Odd UPD scan Bill Pennington (Mar 16)