Should I be worried about the NBNS broadcasts
Hi!
Are these packets something to be worried about or should i just ignore them? I know my fw blocks these packages because it sends back a icmp destination and port unreachable. Last time i got hacked i know I saw a lot of these packages so i get a bad feeling everytime i see these incoming packets but im not even sure if it has something to do with it. I get about 1 of these messages from different hosts in a minute for some hours now. I have a windows box connected to this one which i use masquerading on. Linux cooked capture Packet type: Unicast to us (0) Link-layer address type: 1 Link-layer address length: 6 Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 78 Identification: 0x7f8e Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 109 Protocol: UDP (0x11) Header checksum: 0xc51e (correct) Source: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) Destination: my.linux.box ip (my.linux.box ip) User Datagram Protocol, Src Port: 12057 (12057), Dst Port: netbios-ns (137) Source port: 12057 (12057) Destination port: netbios-ns (137) Length: 58 Checksum: 0x87d2 (correct) NetBIOS Name Service Transaction ID: 0x00ca Flags: 0x0010 (Name query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Name query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... ...1 .... = Broadcast: Broadcast packet Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>: type NBSTAT, class inet Name: *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> (Workstation/Redirector) Type: NBSTAT Class: inet Thanks in advance LR |
These broadcasts are very typical in a Windows environment. Each machine is broadcasting to eachother in order to keep the 'Network Neighborhood' listing up to date. According to Microsoft, if you are using all Windows 2000 and above machines on your network (Samba 2.x does not constitute 'Windows 2000 and above', Samba 3 will but is in beta) then you can disable netbios altogether and use DNS.
|
ok the only reason I started to wonder is that i know these are used inside my network but didnt know that they can send such packets to my lan from outside
sorry if it took a while for me to answer but thanks for the help i will disable netbios asap. |
I am keep getting NBNS to my linux machine every second.
How do I stop it from NBNS query me? it is anoying once I found out. |
All times are GMT -5. The time now is 12:53 AM. |