[Dshield] NETBIOS Probe

Tom Geairn tgeairn at newviewconsulting.com
Mon Mar 25 17:37:59 GMT 2002


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James-

I frequently run into scenarios at client sites connected to Cable,
DSL, or wireless where my client's firewall is getting hit almost
constantly with NetBIOS requests.  These requests are 90+% from other
computers on the "outside" subnet that the client connects to.  It is
my belief that these are mostly innocuous, caused by Windows machines
building browse lists or broadcasting for hosts.  The firewall
misconfiguration in these cases is on the other computers or networks
connected to that subnet.  They shouldn't be letting out NetBIOS
traffic.  

Not a day goes by without my having a voice or email exchange with
some ISP, where I ask them to PLEASE, PLEASE filter out NetBIOS on
their incoming access lists.  In the case of the (very) few ISPs who
have complied, the traffic comes to an almost complete stop and
available bandwidth goes (in some cases by a large percentage) up. 
This is especially painful on wireless networks where the higher
latency and "bursty" nature is most severely affected by all of the
junk NetBIOS packets.  Very few things bother me more than paying for
bandwidth, only to have it sucked away because the ISP didn't bother
to block traffic that should not be there at all, and in most cases
is not specifically directed to my network anyway (broadcasts).

At my office (connected by Cable Modem), I see traffic all day long
from 30-40 other cable modem users who have apparently just plugged
their Win9x box into a cable modem and started surfing.  These
machines often have File and Print sharing enabled, no passwords, and
no firewall.  They send (and respond to) NetBIOS traffic all day
long.  A hacker's dream.  My gripe (again) is that I have to suffer
through having my connection slowed by this junk.

Maybe a better term would be "Total Lack of Firewall", rather than
"Possible Firewall Misconfiguration".  

My $0.02.

- -Tom Geairn
NewView Consulting, LLC

- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On
Behalf Of James
Sent: Monday, March 25, 2002 10:27 AM
To: list at dshield.org
Subject: [Dshield] NETBIOS Probe

<snip>

How do others see this?

James


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPJ9gd8kak2XDABkdEQJzMQCgvNtMEfRqj1yQR4tNrullQPZHfqAAnR/z
cQVPxMbdMnaKTWY2DBgYJ8el
=6gjJ
-----END PGP SIGNATURE-----




More information about the list mailing list