|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: NetBIOS info
From: Bill Pennington (billp
ROCKETCASH.COM)Date: Wed Mar 22 2000 - 17:36:31 CST
- Next message: Ryan Russell: "Re: Scans from udel.edu and tue.nl"
- Previous message: Erik Fichtner: "Re: Curious HTTP related probings."
- In reply to: Robert Graham: "NetBIOS info"
- Next in thread: Robert Graham: "Re: NetBIOS info"
- Reply: Bill Pennington: "Re: NetBIOS info"
- Reply: Robert Graham: "Re: NetBIOS info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Great stuff. Thanks Robert! A few comments... Maybe more along the line
of a rant but...
It just seems a little silly to me that in order to prevent this stuff
from landing on my link I need to setup PTR records for all my boxes.
What if I do not want PTR records (for whatever sick and twisted reason)
now I have to put up with all this cruft getting shoved down my pipe.
I think we can agree that not everyone is going to have PTR records
setup or even configured correctly to stop this stuff. It looks like a
big bandwidth hog to me. If gethostbyaddr fails then let it fail no need
to send out more packets. Also someone sent me an e-mail wondering if
you could use this as an attack method. It would seem like an easy way
to guess the OS without ever sending a probe packet to the host. If you
had some Netbios bomb or auto windows hack tool you could setup a site,
wait to get some Netbios request then attack. I am sure there is a
better way to handle it but that is a topic for Vuln-dev not here.
Ok of the soapbox... :-)
Robert Graham wrote:
>
> I've added a couple of pages worth of text to my firewall forensics
> document
> in order to discuss the NetBIOS stuff.
> http://www.robertgraham.com/pubs/firewall-seen.html#netbios
>
> Some recent questions on this list that I've tried to address in the
> above
> document are:
>
> Q: I've seen a lot more lately.
> A: Over the past year, Windows products that do reverse lookups have
> become
> more popular. Also, you may have misconfigured your DNS.
>
> Q: What is the exact specifics of the packets (length, etc.)?
> A: I've put a complete packet dump into the doc.
>
> Q: But my site doesn't run any form of NetBIOS or Windows...
> A: ...but it has IP addresses, which is all the Windows clients care
> about.
> In any event, it's not a TCP/IP thing, it's a Windows thing.
>
> Q: ...Internet Explorer...
> A: I believe that Internet Explorer doesn't do reverse queries; it's
> something else.
>
> Q: ...bandwidth...
> A: Actually, less than the DNS queries that usually precede the
> NetBIOS
> queries.
>
> In any event, if you are seeing a lot of these queries, you should
> immediately suspect your DNS servers. Windoze only sends the NetBIOS
> packet
> if the DNS fails. In other words, the "cause" of a lot of NetBIOS
> traffic is
> faulty DNS. See the section:
> http://www.robertgraham.com/pubs/firewall-seen.html#10.6
>
> Robert Graham
--Bill Pennington
- Next message: Ryan Russell: "Re: Scans from udel.edu and tue.nl"
- Previous message: Erik Fichtner: "Re: Curious HTTP related probings."
- In reply to: Robert Graham: "NetBIOS info"
- Next in thread: Robert Graham: "Re: NetBIOS info"
- Reply: Bill Pennington: "Re: NetBIOS info"
- Reply: Robert Graham: "Re: NetBIOS info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]