[standard answer follows]
>This is simply DNS using WINS-R for reverse zones; as most of you should
>know, this is a checkbox away in NT's DNS.
>
>Although WINS uses a database, WINS-R won't even try to look it up. What
>all WINS servers do is issue a direct "nbname" query to the "originating
>IP", asking its NetBIOS name.
>
>An example? Suppose your system's IP isn't mapped on any DNS (i.e., DNS
>PTR query will fail) and you are acessing a www server that uses a
>MS-DNS box configured to use a WINS server for WINS-R; the DNS will fail
>using "normal" methods and will try using the WINS server. The WINS
>server will try to resolv your IP the only way it knows; how? Issuing a
>direct "nbname" query to your system, thus generating the "attack".
>
>This becomes even funnier in case of "dual homed" WINS servers, where
>the originating IP is sometimes the internal one (i.e., invalid
>networks).
>
>Solution: drop and ignore all udp port 137 packets on your
>firewalls/routers and make sure your MS DNS *doesn't* use WINS-R for
>reverse resolution.
I don't know if ms-proxy could somehow generate this too :)
Technical Incursion Countermeasures wrote:
>
> Exactly the ones they say.. :}..
> The most common culprit is MS-Proxy.. it seems to want to make Netbios name
> requests to every host it caches from..
> Great 'feature' eh?
>
> Bret
>
> At 14:00 7/06/00 +0200, Markus Loeffler wrote:
> >i am using Log File Auditing for checking my Firewall on intrusions.
> >
> >Currently i get connects to the unsecure Interface on the Firewall from
> >several IP-Adresses on the Internet with source Port 137 to destination
> >Port 137 , protocol is UDP.
> >
> >IANA Port-Assignment says :
> >
> >netbios-ns 137/tcp NETBIOS Name Service
> >netbios-ns 137/udp NETBIOS Name Service
> >
> >but which Services uses that on the Internet ?
> >
> >mit freundlichen Gr��en,
> >KCS Informationstechnik GmbH & Co. KG
> >
> >Markus L�ffler
> >Netzwerkconsulting und Systemtechnik
> >
> >Tel.: 0731 / 9 35 69-62
> >Fax: 0731 / 9 35 69-55
> >email: [EMAIL PROTECTED]
> >web: http://www.kcs.net
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
> Technical Incursion Countermeasures
> [EMAIL PROTECTED] http://www.ticm.com/
> voice mail/fax: (+65)98421426(UTC+8 hrs)
>
> The Insider - a e'zine on Computer security
> http://www.ticm.com/info/insider/index.html
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Rui Pedro Bernardino / Av. Miguel Bombarda, 4, 8o / 1049-058 Lisboa /
Portugal
Playing an unamplified electric guitar is like strumming on a picnic
table.
-- Dave Barry, "The Snake"
S/MIME Cryptographic Signature
