Solved

NETBIOS Name Service Broadcasts

Posted on 2004-03-31
4
657 Views
Last Modified: 2013-12-04
I am getting the following security alerts on one of my linux boxes. The ip address and MAC are from one of my Windows 2000 servers. Although I can drop these broadcasts using iptables on linux, I would like to know what my Windows box is doing. Can anyone explain? This appears to be happening every 8 hours. This is a segment of the log, it appears 20 or times per incident.

There are no error in the event logs on the Windows box.

Mar 31 07:59:59 wahoo kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:81:28:e8:10:08:00 SRC=65.196.130.131 DST=65.196.130.159 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=50625 PROTO=UDP SPT=137 DPT=137 LEN=76
0
Comment
Question by:pphread
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 

Expert Comment

by:jbiggs
ID: 10725724
pphread,

We can assume that SRC=65.196.130.131 is the Windows 2000 Server.  Can we get further clarification on DST=65.196.130.159?  Is this the Linux server?  Or another Windows OS machine?  Are the Destination IPs always the same in your logs or do they differ?

Regardless, one suggestion is to install WINS on your network so that Windows machines look into WINS to resolve hostnames instead of broadcasting on UDP port 137.  If you have only a few Windows based machines on the network then you can try manually adding host resolutions to the lmhosts or hosts files in c:\winnt\system32\drivers\etc directory.  I am not 100% certain if the system will use the hosts files before broadcasting but you can test it out and see if it helps.

Thanks,

John Biggs
Network Engineer
Trammell Crow Residential
0
 

Author Comment

by:pphread
ID: 10725810
1. SRC=65.196.130.131 is the Windows 2000 Server
2. DST=65.196.130.159 I can only assume is the broadcast ip as the subnet is 255.255.25.224 and that is one number outside my range. It is not the linux server.
3. The server is the only computer in a workgroup and not part of the domain.
4. Windows Internet Naming Service should not be required as I have DNS running already.
0
 

Accepted Solution

by:
jbiggs earned 125 total points
ID: 10726306
pphread,

Yes, if the subnet is /27 then 65.196.130.159 is the broadcast address.  This confirms that the Windows machine is sending out NetBIOS name resolution broadcasts.

This tech article tells you how to turn off NetBios over TCP/IP to stop the broadcasts but also gives you some warnings about what may not function properly if you do so:

http://support.microsoft.com/?kbid=299977

The major issue with turning NBT off is that you can no longer browse the network using the Network Neighborhood or My Network Places.  This adds security because people using this system can no longer connect to the Admin shares of other machines C$, D$ (but these can be turned off in the registry).

The second issue is older machines not functioning properly.

Basically NBT advertises the following services on a Windoes machine:

00 - Workstation service (Domain name) or (Workgroup name) or (Computer name)
03 - Messenger service (Computer name) or (User name)
06 - RAS server service (Computer name)
1B - Primary domain controller (Domain name)
1C - Domain controller or PDC or BDC (Domain name)
1D - Master browser (Domain name)
1E - Only is on servers, indicates the computer would become a browser if requested.. (Domain name) or (Workgroup name)
1F - NetDDE service (Computer name)
20 - Server service (Computer name)
21 - RAS client (Computer name)
BE - Network Monitoring Agent service (Computer name)
BF - Network monitor utility service (Computer name)

Without NBT, explorer.exe cannot resolve the location of these services on other Windows machines because it was programmed to use NBT.  *note, some of these services are located using DNS such as Domain Controller*

Good luck,

John Biggs
Network Engineer
Trammell Crow Residential
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10729148
jbiggs is correct at everypoint. netbios is intended to LAN use, mostly.
Netbios is not routable, but it is a broadcast, so if your IP space isn't segmented well, someone can hear it on your node, if using cable/dsl. I can see my neighbors broadcast traffic very easily, because I don't rent my cable modem, I bought mine, this gives me the ability to sniff what is actually going across the wire much easier. Netbios is for the LAN, and the broadcasts are wastes of BW for you and your neighbors. Again, the only ones that can hear it are in your broadcast domain.

Netbios can be harmless, but it can also give away some information you do not want to give out, espically to your neighbors.
http://support.microsoft.com/default.aspx?scid=kb;en-us;128233 (halfway down the page) has a bit on what wins/netbios is doing. Netbios can be wrapped in tcp, however the broadcast's by default arent.
Samba will infact to the same thing, as it tryies to emulate M$'s functions. Block them with iptables, as they will not serve you on the NET, however if you VPN into a windows/samba lan, you may want to allow them for that, as those braodcast's can be sent through most vpn's.
GL!
-rich
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
suspending the anti virus 6 149
Move Event Log in windows 2012 3 115
Botnet detection help me please 21 150
Change default Permissions for windows services 9 42
As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question