North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Crazy flying netbios packets

  • From: blast
  • Date: Thu Sep 03 11:35:19 1998

On Thu, 3 Sep 1998, Eric Germann wrote:

> 1.	Implement WINS within the organization and set the netbios node type to
> h node (0x8)  This will force the 		netbios stack to use a wins lookup and
> then a lookup via broadcast.
> 2.	Implement WINS within the organization and set the netbios node type to
> p node (0x4?)  This forces the 		client to ONLY use the WINS server.  Note
> every server has to be registered in the wins database.
> 
> Neither of these affect DNS resolution.
> 
> Also, try blocking udp and tcp ports 137, 138 and 139 at your borders.
> Wins, properly implemented, can eliminate about 90%+ of useless name
> resolution traffic.

These are all very good suggestions.  Blocking 137/udp, 138/udp, and
139/tcp is a very good idea if you can afford to do that.  
At a minimum, one should block 137/udp at your border's egress and 
here is one compelling reason why:

There is a very popular WWW log analysis program by the name of 
WebTrends.  It is run on a Win32 platform and when processing 
GIGs of www access-logs, it will uni-cast for WINS resolution to 
every foreign IP if finds for WINS name resolution, fail, 
and then use DNS for resolution.  

My fear (uneducated on the matter) is that it is not WebTrends but 
Microsoft's gethostbyaddr() call which would mean that this type of 
crazy 137/udp WINS resolution traffic is more commonly mis-used than
we think.  

-Tim Keanini
   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
   \    Tim Keanini    |         "The limits of my language,            /
   /                   |         are the limits of my world."           \
   \ [email protected]  |         --Ludwig Wittgenstein                  /
   \                   +================================================/
   |Key fingerprint =  7B 68 88 41 A8 74 AB EC  F0 37 98 4C 37 F7 40 D6 |
   /    PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html     \
   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%