We help IT Professionals succeed at work.

NETBIOS Name Service Broadcasts

pphread
pphread asked
on
Medium Priority
756 Views
Last Modified: 2013-12-04
I am getting the following security alerts on one of my linux boxes. The ip address and MAC are from one of my Windows 2000 servers. Although I can drop these broadcasts using iptables on linux, I would like to know what my Windows box is doing. Can anyone explain? This appears to be happening every 8 hours. This is a segment of the log, it appears 20 or times per incident.

There are no error in the event logs on the Windows box.

Mar 31 07:59:59 wahoo kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:81:28:e8:10:08:00 SRC=65.196.130.131 DST=65.196.130.159 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=50625 PROTO=UDP SPT=137 DPT=137 LEN=76
Comment
Watch Question

Commented:
pphread,

We can assume that SRC=65.196.130.131 is the Windows 2000 Server.  Can we get further clarification on DST=65.196.130.159?  Is this the Linux server?  Or another Windows OS machine?  Are the Destination IPs always the same in your logs or do they differ?

Regardless, one suggestion is to install WINS on your network so that Windows machines look into WINS to resolve hostnames instead of broadcasting on UDP port 137.  If you have only a few Windows based machines on the network then you can try manually adding host resolutions to the lmhosts or hosts files in c:\winnt\system32\drivers\etc directory.  I am not 100% certain if the system will use the hosts files before broadcasting but you can test it out and see if it helps.

Thanks,

John Biggs
Network Engineer
Trammell Crow Residential

Author

Commented:
1. SRC=65.196.130.131 is the Windows 2000 Server
2. DST=65.196.130.159 I can only assume is the broadcast ip as the subnet is 255.255.25.224 and that is one number outside my range. It is not the linux server.
3. The server is the only computer in a workgroup and not part of the domain.
4. Windows Internet Naming Service should not be required as I have DNS running already.
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
jbiggs is correct at everypoint. netbios is intended to LAN use, mostly.
Netbios is not routable, but it is a broadcast, so if your IP space isn't segmented well, someone can hear it on your node, if using cable/dsl. I can see my neighbors broadcast traffic very easily, because I don't rent my cable modem, I bought mine, this gives me the ability to sniff what is actually going across the wire much easier. Netbios is for the LAN, and the broadcasts are wastes of BW for you and your neighbors. Again, the only ones that can hear it are in your broadcast domain.

Netbios can be harmless, but it can also give away some information you do not want to give out, espically to your neighbors.
http://support.microsoft.com/default.aspx?scid=kb;en-us;128233 (halfway down the page) has a bit on what wins/netbios is doing. Netbios can be wrapped in tcp, however the broadcast's by default arent.
Samba will infact to the same thing, as it tryies to emulate M$'s functions. Block them with iptables, as they will not serve you on the NET, however if you VPN into a windows/samba lan, you may want to allow them for that, as those braodcast's can be sent through most vpn's.
GL!
-rich
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.