Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proliferation of NBT queries

From: Curt Wilson <curtw () SIU EDU>
Date: Thu, 1 Oct 2009 15:10:09 -0500
I've seen so much port 137 traffic over the years, it's so chatty and so
common that I've become desensitized to its presence. I don't recall
much, if any actual malicious activity that correlated to it's presence.

What's in the query? do you have data in your lmhosts files on those
boxen that might be triggering an NBNS lookup? are the hosts trying to
resolve a name that's failing other queries (DNS, etc) and then
resorting to NetBIOS name service?

If it's important enough to get to the bottom of, I'd grab some pcaps
from the originating boxen and analyze them with wireshark or
equivalent, and try to correlate that with specific activity on the
boxes. But it doesn't sound like a security related issue, based on what
you are saying.

You also might want to put a debugger such as Olly debugger on
Bonjour/iTunes and run something like the Olly socket trace plugin to
enumerate what it's doing on the network. I'm not sure if it isn't just
calling other windows functions that are doing the actual traffic
origination though, you'll have to see. In that case you'd have to dig a
little deeper and it might not be worth the effort.

http://reversengineering.wordpress.com/2008/08/23/olly-sockettrace-10/



Dennis Bohn wrote:

We have been seeing some odd traffic on the network, and wanted to see if anyone else has noticed this.  About three 
weeks ago, we started seeing a large volume of NBT queries (udp port 137) to our DHCP servers.  Certain machines do 
this repeatedly, 30-60 times a minute.  Oddly, our DHCP servers are Linux.

As things evolved, we discovered that the machines doing the queries had autoconfigured printers that had been shared 
(inadvertently) on other Windows boxen.  We have not proved, but have a high index of suspicion that it is 
Itunes/Bonjour that is discovering and autoconfiguring the printers.  We can't be certain that machines weren't 
previously using the DHCP servers for NBT queries; it may have been at a low level and gone unnoticed.

So, there are two issues: 1) Has anyone else seen PC-shared printers become autoconfigured on another PC?

2) We still have no idea why the machines are querying the DHCP servers, the Windows boxes still show no WINS server. 
 Have googled, and the DHCP server is not the documented search order for Microsoft machines.

Best,
dennis

Dennis Bohn
network manager
5168773327




--
Curt Wilson
SIUC IT Security Officer & Security Engineer
Previous By Date Next
Previous By Thread Next

Current thread: