How can I turn off NetBIOS Nameserver Responses once they've start

[Guest]

The blocked traffic log on my firewall started filling up (and still is) with
ICMP responses. The traffic in question is from both of my Win2K servers
(192.168.211.8:137, 192.168.211.21:137) to an address on the Internet
(169.254.227.22:137). I looked this address up and it turns out to belong to
IANA but that is because it is an autoconfiguration IP address. Using
Ethereal I looked at the traffic and it turns out that my dot 8 server is
responding to a name server request from the "IANA box". My dot 21 server is
also responding to the same request. However, nowhere in the traffic is there
any request from the autoconfiguration IP address. I have no autoconfigured
hosts on my network. Now since my firewall does not allow ICMP, it is
blocking and logging these attempts at response and logging them. It is also
happening at a rather slow rate, a little better than maybe 20 times an
hour/each. I know that there used to be a few (years) old worms that
exhibited this behaviour but not at this slow pace and the port 137 to 137
looks like a legitimate response type not a worm (the port would be higher).
At any rate these machines have already been cleared by multiple antivirus
and trojan hunting software. I would have thought that if there had been an
autoconfig IP address that generated a request at one time and then was
corrected to a valid internal address, that the reponses would have timed out
by themselves. I did have NetBIOS over TCP/IP running along with WINS but I
disabled all that and it makes no difference. I can only think that something
in the Win2K operating system is "stuck" in a loop. Has anyone else
experienced this and if so, how do I turn it off?

 

[Phillip Windell]

Anything in the event logs?

 

[Guest]

Thanks for replying so quickly Phillip, but no, there was nothing out of the
ordinary in the event logs. Nothing I could link in my mind, to this specific
problem. It's a strange one. If you think of anything else, please let me
know.
Thanks,
Mike

Anything in the event logs?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The blocked traffic log on my firewall started filling up (and still is) with
ICMP responses. The traffic in question is from both of my Win2K servers
(192.168.211.8:137, 192.168.211.21:137) to an address on the Internet
(169.254.227.22:137). I looked this address up and it turns out to belong to
IANA but that is because it is an autoconfiguration IP address. Using
Ethereal I looked at the traffic and it turns out that my dot 8 server is
responding to a name server request from the "IANA box". My dot 21 server is
also responding to the same request. However, nowhere in the traffic is there
any request from the autoconfiguration IP address. I have no autoconfigured
hosts on my network. Now since my firewall does not allow ICMP, it is
blocking and logging these attempts at response and logging them. It is also
happening at a rather slow rate, a little better than maybe 20 times an
hour/each. I know that there used to be a few (years) old worms that
exhibited this behaviour but not at this slow pace and the port 137 to 137
looks like a legitimate response type not a worm (the port would be higher).
At any rate these machines have already been cleared by multiple antivirus
and trojan hunting software. I would have thought that if there had been an
autoconfig IP address that generated a request at one time and then was
corrected to a valid internal address, that the reponses would have timed out
by themselves. I did have NetBIOS over TCP/IP running along with WINS but I
disabled all that and it makes no difference. I can only think that something
in the Win2K operating system is "stuck" in a loop. Has anyone else
experienced this and if so, how do I turn it off?