Security Incidents mailing list archives
Re: NetBIOS info
From: billp () ROCKETCASH COM (Bill Pennington)
Date: Wed, 22 Mar 2000 15:36:31 -0800
Great stuff. Thanks Robert! A few comments... Maybe more along the line of a rant but... It just seems a little silly to me that in order to prevent this stuff from landing on my link I need to setup PTR records for all my boxes. What if I do not want PTR records (for whatever sick and twisted reason) now I have to put up with all this cruft getting shoved down my pipe. I think we can agree that not everyone is going to have PTR records setup or even configured correctly to stop this stuff. It looks like a big bandwidth hog to me. If gethostbyaddr fails then let it fail no need to send out more packets. Also someone sent me an e-mail wondering if you could use this as an attack method. It would seem like an easy way to guess the OS without ever sending a probe packet to the host. If you had some Netbios bomb or auto windows hack tool you could setup a site, wait to get some Netbios request then attack. I am sure there is a better way to handle it but that is a topic for Vuln-dev not here. Ok of the soapbox... :-) Robert Graham wrote:
I've added a couple of pages worth of text to my firewall forensics document in order to discuss the NetBIOS stuff. http://www.robertgraham.com/pubs/firewall-seen.html#netbios Some recent questions on this list that I've tried to address in the above document are: Q: I've seen a lot more lately. A: Over the past year, Windows products that do reverse lookups have become more popular. Also, you may have misconfigured your DNS. Q: What is the exact specifics of the packets (length, etc.)? A: I've put a complete packet dump into the doc. Q: But my site doesn't run any form of NetBIOS or Windows... A: ...but it has IP addresses, which is all the Windows clients care about. In any event, it's not a TCP/IP thing, it's a Windows thing. Q: ...Internet Explorer... A: I believe that Internet Explorer doesn't do reverse queries; it's something else. Q: ...bandwidth... A: Actually, less than the DNS queries that usually precede the NetBIOS queries. In any event, if you are seeing a lot of these queries, you should immediately suspect your DNS servers. Windoze only sends the NetBIOS packet if the DNS fails. In other words, the "cause" of a lot of NetBIOS traffic is faulty DNS. See the section: http://www.robertgraham.com/pubs/firewall-seen.html#10.6 Robert Graham
-- Bill Pennington
Current thread:
- Odd UPD scan David Meissner (Mar 15)
- Re: Odd UPD scan Bill Pennington (Mar 16)
- Re: Odd UPD scan Graeme Fowler (Mar 20)
- Re: Odd UPD scan Grzegorz Janoszka (Mar 17)
- <Possible follow-ups>
- Re: Odd UPD scan Randy Mclean (Mar 17)
- Re: Odd UPD scan Rainer Weikusat (Mar 17)
- Re: Odd UPD scan Bill Pennington (Mar 20)
- Re: Odd UPD scan Pavel Kankovsky (Mar 21)
- NetBIOS info Robert Graham (Mar 21)
- Re: NetBIOS info Bill Pennington (Mar 22)
- Strange probe Stuart Staniford-Chen (Mar 24)
- Re: NetBIOS info Robert Graham (Mar 27)
- Syn scans to 4045 Joey McAlerney (Mar 27)
- Re: Odd UPD scan Bill Pennington (Mar 16)