LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-14-2006, 05:10 PM   #1
djkhan77
LQ Newbie
 
Registered: Jul 2006
Posts: 3

Rep: Reputation: 0
Port flooding from unknown source!


Hello,
Im new here, well i'm new with linux also but i'm willing to learn.
I'm running a Gentoo distribution for htb and routing, and a freeBSD as a nameserver and for webmail.
I have a network of about 350 users and i have a very big problem... for some time now i've been experiencing lots of floods on ports 135, 137, 138, 139 and 445 but especially on 135, 139 and 445. These ports are filtered from my firewall (rc.firewall) but the problem remains... How to get rid of it?!?
When i run tcpdump -nnvv -i ethx port ... (where x is the interface that goes to my clients and the ports are the ones that i mentioned) this is what I get:

00:52:31.713708 IP (tos 0x0, ttl 128, id 44214, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3366 > 89.32.154.246.139: S, cksum 0x64bf (correct), 3880917648:3880917648(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.713943 IP (tos 0x0, ttl 128, id 44215, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3367 > 89.32.47.165.139: S, cksum 0x2f60 (correct), 3880958783:3880958783(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.714201 IP (tos 0x0, ttl 128, id 44216, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3368 > 89.32.76.78.139: S, cksum 0x4a7b (correct), 3881010041:3881010041(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.717589 IP (tos 0x0, ttl 128, id 48885, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1903 > 89.32.164.151.139: S, cksum 0xc610 (correct), 1570914014:1570914014(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.729528 IP (tos 0x0, ttl 128, id 44217, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3369 > 89.32.240.145.139: S, cksum 0xde18 (correct), 3881061270:3881061270(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.744406 IP (tos 0x0, ttl 128, id 44218, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3275 > 89.32.168.102.139: S, cksum 0x85e8 (correct), 3875728545:3875728545(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.747869 IP (tos 0x0, ttl 128, id 48890, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1904 > 89.32.247.139.139: S, cksum 0xcc08 (correct), 1570956784:1570956784(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.760333 IP (tos 0x0, ttl 128, id 44219, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3370 > 89.32.191.111.139: S, cksum 0xc94b (correct), 3881144707:3881144707(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.779141 IP (tos 0x0, ttl 128, id 48895, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1905 > 89.32.122.61.139: S, cksum 0x8a15 (correct), 1571005744:1571005744(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.794217 IP (tos 0x0, ttl 128, id 48898, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1811 > 89.32.252.154.139: S, cksum 0x8a3e (correct), 1565598554:1565598554(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.794255 IP (tos 0x0, ttl 128, id 48899, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1812 > 89.32.216.25.139: S, cksum 0x0d5d (correct), 1565639738:1565639738(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.794283 IP (tos 0x0, ttl 128, id 48900, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1813 > 89.32.143.40.139: S, cksum 0xc448 (correct), 1565677247:1565677247(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.794309 IP (tos 0x0, ttl 128, id 48901, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1814 > 89.32.34.53.139: S, cksum 0x65e5 (correct), 1565729300:1565729300(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.794338 IP (tos 0x0, ttl 128, id 48902, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1815 > 89.32.153.77.139: S, cksum 0xf0e8 (correct), 1565794294:1565794294(0) win 64240 <mss 1460,nop,nop,sackOK>


I also must say that i personally went to the computers that have this sort of activity and all of them are running Windows filesistem. I installed Zone Alarm firewall and blocked the problem ports inbound and outbound. This way i stop the flood for about 1 week tops then again but the firewall is useless...

WHAT TO DO!?!


PS: I forgot to say what happens .... well about 100.000 packets/second ( and that kinda' messes up my server as well as my providers router...

Last edited by djkhan77; 07-14-2006 at 05:19 PM.
 
Old 07-14-2006, 07:09 PM   #2
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 878

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
Correct me if I'm wrong, but I believe this is just your Windows boxes sniffing themselves for NETBIOS/SMB resources. They do it on my subnet too, I was facinated by this and so I set up Samba to talk with them. I saw some activity, and some people likely saw my Samba server in their Explorer window. Some looked around, while others seemed to be just firing off packets. Those I'm assuming where infected machines: there are ALOT of exploits for Microsoft involving these ports, and a large number of viruses make use of them. Not all traffic is virus-generated of course. They do queries for PDC, BDC, browse lists ("Network Neighborhood"), and a whole bunch of stuff. You can share files, printers, profiles and home directories by this resource. The ports you named are all default NETBIOS and SMB networking ports. Evidently Microsoft thought this behavior was desirable

Check your favourite MS help site and read about shutting it down, because I can't remember the exact commands for all of it (been awhile since I touched Windows). Look for disabling "Messenger", "NETBIOS over TCP, UDP", anything to do with SMB or NETBIOS, etc.
 
Old 07-14-2006, 07:22 PM   #3
w3bd3vil
Senior Member
 
Registered: Jun 2006
Location: Hyderabad, India
Distribution: Fedora
Posts: 1,191

Rep: Reputation: 49
This is quite normal. You could disable icmp ping and try to see if these connections still occur. I dont think they will.
 
Old 07-14-2006, 08:06 PM   #4
djkhan77
LQ Newbie
 
Registered: Jul 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks! I'll get right on it!
I understand that this is normal behaviour... I mean the use of NETBIOS and SMB ports but my problem is that there are a LOT of packets per second ... like I said sometimes over 100.000 pk/sec Needless to say that my kernel crashes over 60.000 packets.
I am going to make some tests and then write again with my results.
Thanks again!
 
Old 07-15-2006, 06:44 AM   #5
shawnbishop
Member
 
Registered: Dec 2005
Location: South Africa
Distribution: CentOS,Ubuntu,Fedora
Posts: 249

Rep: Reputation: 30
Good day

On your windows boxes, select the Networking properties, Select TCP/IP, Properties and then Advanced. Go to the "WINS" tab, and at the bottom you will see, "enable NETBIOS over TCP", select the disable radio button, this should decrease the NETBIOS traffic.
Might slow down the traffic

Cheers
 
Old 07-15-2006, 08:08 AM   #6
djkhan77
LQ Newbie
 
Registered: Jul 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks!
I've searched the net and found some things...


START --> RUN --> CMD
sc config messenger start= disabled
sc stop messenger

I understand that these command lines should disable the NET SEND option that seems to create my problem...
I'm still investigating...

Sorry for poluting this forum with a Windows problem, but it all started because my linux server war affected.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
unknown service controling open port rysio Linux - Security 2 09-13-2005 12:48 PM
unknown port allways open :\ mebae Slackware 7 06-06-2005 06:37 PM
unknown port 746 Linux~Powered Linux - Security 3 01-05-2005 10:37 AM
Security Problem??? Unknown listening port olivia Slackware 1 08-10-2002 09:06 PM
Unknown Open Port _boris_ Linux - Security 2 12-20-2000 11:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration