Solved

NETBIOS Name Service Broadcasts

Posted on 2004-03-31
4
651 Views
Last Modified: 2013-12-04
I am getting the following security alerts on one of my linux boxes. The ip address and MAC are from one of my Windows 2000 servers. Although I can drop these broadcasts using iptables on linux, I would like to know what my Windows box is doing. Can anyone explain? This appears to be happening every 8 hours. This is a segment of the log, it appears 20 or times per incident.

There are no error in the event logs on the Windows box.

Mar 31 07:59:59 wahoo kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:81:28:e8:10:08:00 SRC=65.196.130.131 DST=65.196.130.159 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=50625 PROTO=UDP SPT=137 DPT=137 LEN=76
0
Comment
Question by:pphread
  • 2
4 Comments
 

Expert Comment

by:jbiggs
ID: 10725724
pphread,

We can assume that SRC=65.196.130.131 is the Windows 2000 Server.  Can we get further clarification on DST=65.196.130.159?  Is this the Linux server?  Or another Windows OS machine?  Are the Destination IPs always the same in your logs or do they differ?

Regardless, one suggestion is to install WINS on your network so that Windows machines look into WINS to resolve hostnames instead of broadcasting on UDP port 137.  If you have only a few Windows based machines on the network then you can try manually adding host resolutions to the lmhosts or hosts files in c:\winnt\system32\drivers\etc directory.  I am not 100% certain if the system will use the hosts files before broadcasting but you can test it out and see if it helps.

Thanks,

John Biggs
Network Engineer
Trammell Crow Residential
0
 

Author Comment

by:pphread
ID: 10725810
1. SRC=65.196.130.131 is the Windows 2000 Server
2. DST=65.196.130.159 I can only assume is the broadcast ip as the subnet is 255.255.25.224 and that is one number outside my range. It is not the linux server.
3. The server is the only computer in a workgroup and not part of the domain.
4. Windows Internet Naming Service should not be required as I have DNS running already.
0
 

Accepted Solution

by:
jbiggs earned 125 total points
ID: 10726306
pphread,

Yes, if the subnet is /27 then 65.196.130.159 is the broadcast address.  This confirms that the Windows machine is sending out NetBIOS name resolution broadcasts.

This tech article tells you how to turn off NetBios over TCP/IP to stop the broadcasts but also gives you some warnings about what may not function properly if you do so:

http://support.microsoft.com/?kbid=299977

The major issue with turning NBT off is that you can no longer browse the network using the Network Neighborhood or My Network Places.  This adds security because people using this system can no longer connect to the Admin shares of other machines C$, D$ (but these can be turned off in the registry).

The second issue is older machines not functioning properly.

Basically NBT advertises the following services on a Windoes machine:

00 - Workstation service (Domain name) or (Workgroup name) or (Computer name)
03 - Messenger service (Computer name) or (User name)
06 - RAS server service (Computer name)
1B - Primary domain controller (Domain name)
1C - Domain controller or PDC or BDC (Domain name)
1D - Master browser (Domain name)
1E - Only is on servers, indicates the computer would become a browser if requested.. (Domain name) or (Workgroup name)
1F - NetDDE service (Computer name)
20 - Server service (Computer name)
21 - RAS client (Computer name)
BE - Network Monitoring Agent service (Computer name)
BF - Network monitor utility service (Computer name)

Without NBT, explorer.exe cannot resolve the location of these services on other Windows machines because it was programmed to use NBT.  *note, some of these services are located using DNS such as Domain Controller*

Good luck,

John Biggs
Network Engineer
Trammell Crow Residential
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10729148
jbiggs is correct at everypoint. netbios is intended to LAN use, mostly.
Netbios is not routable, but it is a broadcast, so if your IP space isn't segmented well, someone can hear it on your node, if using cable/dsl. I can see my neighbors broadcast traffic very easily, because I don't rent my cable modem, I bought mine, this gives me the ability to sniff what is actually going across the wire much easier. Netbios is for the LAN, and the broadcasts are wastes of BW for you and your neighbors. Again, the only ones that can hear it are in your broadcast domain.

Netbios can be harmless, but it can also give away some information you do not want to give out, espically to your neighbors.
http://support.microsoft.com/default.aspx?scid=kb;en-us;128233 (halfway down the page) has a bit on what wins/netbios is doing. Netbios can be wrapped in tcp, however the broadcast's by default arent.
Samba will infact to the same thing, as it tryies to emulate M$'s functions. Block them with iptables, as they will not serve you on the NET, however if you VPN into a windows/samba lan, you may want to allow them for that, as those braodcast's can be sent through most vpn's.
GL!
-rich
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now