From: Kenn Humborg (kenn at domain avalon.wombat.ie)
Date: Sat 18 Sep 1999 - 15:31:06 IST
On Sat, Sep 18, 1999 at 02:40:12PM +0100, Thomas Ribbrock wrote:
> [root at domain angua /root]# /usr/sbin/tcpdump -i ppp0 port 137 -s 1000
> tcpdump: listening on ppp0
> 14:36:15.830895 bf-web.bord-failte.iol.ie.netbios-ns > ts01-176.limerick.indigo.ie.netbios-ns: udp 50
> 14:36:16.720879 bf-web.bord-failte.iol.ie.netbios-ns > ts01-176.limerick.indigo.ie.netbios-ns: udp 50
> 14:36:18.210854 bf-web.bord-failte.iol.ie.netbios-ns > ts01-176.limerick.indigo.ie.netbios-ns: udp 50
>
> Looks, like I'll have to write those folks to set up their web server
> properly...
Arguably, they are not breaking any rules here. It's no different
from firing back an IDENT query when you connect. If you don't
run an IDENT (or netbios-ns) server, (which is OK, because they are
not mandated by the Host Requirements RFCs) then their server
has to deal with it gracefully.
If you don't like it, then silently drop netbios stuff, rather than
taking the drastic countermeasures that abacus_sentry is taking.
My feeling with automated countermeasures like this, is that it
will be very difficult to keep them up to date. And a wrong
configuration, or un-intended countermeasure, can have wide-ranging
effects. It's not too bad in your case because you're a dialup
user yourself, but running something like this on a company gateway
is asking for trouble.
Better solution is to use IP firewalling to drop or reject traffic
you don't like. Blocking a whole host is overkill.
Later,
Kenn
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:04:34 GMT