[unisog] DNS queries from Windows clients for every udp/137 and udp/138 broadcast they hear?

Irwin Tillman irwin at princeton.edu
Mon Oct 10 18:25:07 GMT 2005


Our experience here matched that of Gaby Hoffmann.
The excessive DNS traffic is associated with version 6.0.667.000 of ZoneAlarm free.

------- Previous Message(s)

>Date:   Tue, 27 Sep 2005 12:06:46 -0400
>From:   Irwin Tillman <irwin at princeton.edu>
>To:     unisog at lists.sans.org
>Subject: DNS queries from Windows clients for every udp/137 and udp/138 broadcast they hear? 

In recent weeks, I've seeing an increasing volume in DNS traffic from some Windows machines
in a pattern that I've not seen before.  

...

Each of the affected machines is sending a two DNS lookups for every 
UDP broadcast packet it hears involving NetBIOS ports 137 or 138.

E.g. if a machine (say 10.1.57.8) on network (say 10.1.0.0/16) broadcasts:

    IP 10.1.57.8.137 > 10.1.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

Then each affected Window machine (say 10.1.3.4) on the same network
issues the following two lookups to the DNS server (say 192.168.1.1):

   IP 10.1.3.4.3638 > 192.168.1.1.53: 2+ PTR? 8.57.1.10.in-addr.arpa.
   IP 10.1.3.4.3639 > 192.168.1.1.53  2+ PTR? 255.255.1.10.in-addr.arpa.

...

-------

>Date:   Wed, 28 Sep 2005 09:53:50 +1000
>From:   Gaby Hoffmann <gaby.Hoffmann at anu.edu.au>
>To:     UNIversity Security Operations Group <unisog at lists.sans.org>
>Subject: Re: [unisog] DNS queries from Windows clients for every udp/137 and udp/138 broadcast they hear?
>Reply-to: UNIversity Security Operations Group <unisog at lists.sans.org>

I've seen the same behaviour on our network by machines
running version 6.0.667.000 of ZoneAlarm free.
When the students reverted to version 5.5.094, the
excessive DNS queries stopped.

Gaby

-------



More information about the unisog mailing list