RE: Win2K Srv sending NBSTAT name query broadcasts to Internet IPs

[Kristin Thomas [MSFT]]

CJ,

You are right about broadcast packets, something destined for a specific IP
address is not a broadcast packet. Broadcast is only sent to a machine's
broadcast address.

Name Service datagrams are used primarily to register and resolve names on
the network, and they are sent and received by NetBT and WINS only over
TCP/UDP port 137.

So is the machine in question a WINS server? Does it have replication
partners set up with those IP addresses you are seeing?

Best Regards,

Kristin Thomas, MCSE, MCP
Microsoft Enterprise Network Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Win2K Srv sending NBSTAT name query broadcasts to Internet
IPs
| thread-index: AcQLcq6yPnGoflIlRF2S4/aiJ3diDw==
| X-Tomcat-NG: microsoft.public.win2000.networking
| From: "=?Utf-8?B?Q0o=?=" <[email protected]>
| Subject: Win2K Srv sending NBSTAT name query broadcasts to Internet IPs
| Date: Tue, 16 Mar 2004 08:21:05 -0800

|
| I have noticed that my Win2K server is sending NBSTAT broadcast packets
to random IP addresses outside of my local network. The broadcasts always
originate from the server on port 137 and are always destined for some IP
address on port 137. The destination IP addresses always seem to be
different and many times are nonexistant.

I say random because there is no time pattern to the broadcasts. Sometimes
there are sent every couple of minutes and sometimes the period between
broadcasts are much longer.

Can anyone explain why this might be happening. I can understand this if
the broadcasts were to machines on my local network but not out onto the
Internet. I also don't understand the concept of a broadcast being sent to
a specific IP address. I thought broadcasts were sent out to all systems on
the local network.

Please advise.

CJ

|

 

[Guest]

Kristin

Thanks for responding. In answer to your questions...no the server is not set up as a WIN server and no I have no replication partners of any kind set up. I have no idea where the IP addresses come from that the NBSTAT packets are being sent to. I've check some of them and many are not registered in any DNS. I also don't understand why my server is attempting to send these broadcasts to IP addresses out past our router / firewall and out to the Internet

Do you have any more ideas on how I can track this down

Here is a sampling of some of the broadcasts that are being sent. These are SNMP traps obtained from the router. You can see they go from the server @ 137 to an IP address @ 137. I also included a sniffer trace of a single packet so you can see what is being sent

03-16-2004 14:54:37 System0.Info router @out server 137 63.141.2.174 13
03-16-2004 14:39:12 System0.Info router @out server 137 198.30.198.132 13
03-16-2004 14:28:05 System0.Info router @out server 137 66.191.240.147 13
03-16-2004 14:27:05 System0.Info router @out server 137 66.62.251.253 13
03-16-2004 14:26:59 System0.Info router @out server 137 217.164.253.148 13
03-16-2004 14:17:35 System0.Info router @out server 137 194.171.12.79 13
03-16-2004 14:14:20 System0.Info router @out server 137 66.205.221.97 13
03-16-2004 14:13:02 System0.Info router @out server 137 202.54.117.102 13
03-16-2004 13:54:40 System0.Info router @out server 137 217.171.118.25 13
03-16-2004 13:46:24 System0.Info router @out server 137 12.242.18.34 13
03-16-2004 13:42:46 System0.Info router @out server 137 192.114.44.4 13
03-16-2004 13:41:59 System0.Info router @out server 137 82.166.194.115 13
03-16-2004 13:06:19 System0.Info router @out server 137 205.3.98.38 13
03-16-2004 13:06:11 System0.Info router @out server 137 204.235.105.130 13
03-16-2004 13:01:46 System0.Info router @out server 137 217.67.176.50 13
03-16-2004 12:52:49 System0.Info router @out server 137 221.3.141.40 13
03-16-2004 12:46:52 System0.Info router @out server 137 210.199.213.150 13
03-16-2004 12:41:59 System0.Info router @out server 137 219.237.120.245 13
03-16-2004 12:32:02 System0.Info router @out server 137 62.251.171.110 13
03-16-2004 11:57:00 System0.Info router @out server 137 82.177.70.234 13
03-16-2004 11:26:59 System0.Info router @out server 137 218.191.92.168 13
03-16-2004 11:21:01 System0.Info router @out server 137 63.219.128.82 13
03-16-2004 11:18:59 System0.Info router @out server 137 66.205.224.17 13
03-16-2004 11:08:37 System0.Info router @out server 137 216.245.140.23 13
03-16-2004 10:57:00 System0.Info router @out server 137 205.27.49.209 13
03-16-2004 10:56:54 System0.Info router @out server 137 205.40.234.218 13
03-16-2004 10:42:00 System0.Info router @out server 137 81.193.8.99 13
03-16-2004 10:28:10 System0.Info router @out server 137 80.239.57.84 13
03-16-2004 10:20:29 System0.Info router @out server 137 66.77.33.26 13

Frame 42 (92 bytes on wire, 92 bytes captured
Arrival Time: Mar 15, 2004 14:45:02.37970500
Time delta from previous packet: 0.086549000 second
Time since reference or first frame: 45.839609000 second
Frame Number: 4
Packet Length: 92 byte
Capture Length: 92 byte
Ethernet II, Src: 00:10:a4:eb:a4:21, Dst: 00:20:78:c7:64:c
Destination: 00:20:78:c7:64:c6 (10.254.215.1
Source: 00:10:a4:eb:a4:21 (10.254.215.51
Type: IP (0x0800
Internet Protocol, Src Addr: 10.254.215.51 (10.254.215.51), Dst Addr: 217.179.171.230 (217.179.171.230
Version:
Header length: 20 byte
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00
0000 00.. = Differentiated Services Codepoint: Default (0x00
.... ..0. = ECN-Capable Transport (ECT):
.... ...0 = ECN-CE:
Total Length: 7
Identification: 0xb9b8 (47544
Flags: 0x0
0... = Reserved bit: Not se
.0.. = Don't fragment: Not se
..0. = More fragments: Not se
Fragment offset:
Time to live: 12
Protocol: UDP (0x11
Header checksum: 0x191b (correct
Source: 10.254.215.51 (10.254.215.51
Destination: 217.179.171.230 (217.179.171.230)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
Source port: netbios-ns (137)
Destination port: netbios-ns (137)
Length: 58
Checksum: 0xbae3 (correct)
NetBIOS Name Service
Transaction ID: 0x9d6f
Flags: 0x0010 (Name query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Name query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... ...1 .... = Broadcast: Broadcast packet
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>: type NBSTAT, class inet
Name: *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> (Workstation/Redirector)
Type: NBSTAT
Class: inet

0000 00 20 78 c7 64 c6 00 10 a4 eb a4 21 08 00 45 00 . x.d......!..E.
0010 00 4e b9 b8 00 00 80 11 19 1b 0a fe d7 33 d9 b3 .N...........3..
0020 ab e6 00 89 00 89 00 3a ba e3 9d 6f 00 10 00 01 .......:...o....
0030 00 00 00 00 00 00 20 43 4b 41 41 41 41 41 41 41 ...... CKAAAAAAA
0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0050 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!..

Any help you can provide would be appreciated.

Thanks,

Cj

----- Kristin Thomas [MSFT] wrote: -----

CJ,

You are right about broadcast packets, something destined for a specific IP
address is not a broadcast packet. Broadcast is only sent to a machine's
broadcast address.

Name Service datagrams are used primarily to register and resolve names on
the network, and they are sent and received by NetBT and WINS only over
TCP/UDP port 137.

So is the machine in question a WINS server? Does it have replication
partners set up with those IP addresses you are seeing?

Best Regards,

Kristin Thomas, MCSE, MCP
Microsoft Enterprise Network Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Win2K Srv sending NBSTAT name query broadcasts to Internet
IPs
| thread-index: AcQLcq6yPnGoflIlRF2S4/aiJ3diDw==
| X-Tomcat-NG: microsoft.public.win2000.networking
| From: "=?Utf-8?B?Q0o=?=" <[email protected]>
| Subject: Win2K Srv sending NBSTAT name query broadcasts to Internet IPs
| Date: Tue, 16 Mar 2004 08:21:05 -0800

|
| I have noticed that my Win2K server is sending NBSTAT broadcast packets
to random IP addresses outside of my local network. The broadcasts always
originate from the server on port 137 and are always destined for some IP
address on port 137. The destination IP addresses always seem to be
different and many times are nonexistant.

I say random because there is no time pattern to the broadcasts. Sometimes
there are sent every couple of minutes and sometimes the period between
broadcasts are much longer.

Can anyone explain why this might be happening. I can understand this if
the broadcasts were to machines on my local network but not out onto the
Internet. I also don't understand the concept of a broadcast being sent to
a specific IP address. I thought broadcasts were sent out to all systems on
the local network.

Please advise.

CJ

|

 

[Kristin Thomas [MSFT]]

I admit, I'm stumped. I tried to look up a couple of those IP address and
couldn't figure out who owned them. If you aren't pointing to them for
WINS, you don't have WINS set up or replicating, I have to wonder if you
have a virus of some sort that is hijacking this machine. I have no idea
what someone could do with those packets, but I'm not a hacker either.

Try scanning the machine for virus', there are free scanning tools on
housecall.trendmicro.com.

Hey, I just found this article too, it looks like something you might be
experiencing, but differently, do you have this patch applied?

269239 MS00-047: NetBIOS Vulnerability May Cause Duplicate Name on the
Network
http://support.microsoft.com/?id=269239


Best Regards,

Kristin Thomas, MCSE, MCP
Microsoft Enterprise Network Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Win2K Srv sending NBSTAT name query broadcasts to Internet
IPs
| thread-index: AcQLq0PQEKqa7kfESwS26LXaxLbWjg==
| X-Tomcat-NG: microsoft.public.win2000.networking
| From: "=?Utf-8?B?Q0o=?=" <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: RE: Win2K Srv sending NBSTAT name query broadcasts to Internet
IPs
| Date: Tue, 16 Mar 2004 15:06:07 -0800

|
| Kristin,

Thanks for responding. In answer to your questions...no the server is not
set up as a WIN server and no I have no replication partners of any kind
set up. I have no idea where the IP addresses come from that the NBSTAT
packets are being sent to. I've check some of them and many are not
registered in any DNS. I also don't understand why my server is attempting
to send these broadcasts to IP addresses out past our router / firewall and
out to the Internet.

Do you have any more ideas on how I can track this down?

Here is a sampling of some of the broadcasts that are being sent. These are
SNMP traps obtained from the router. You can see they go from the server @
137 to an IP address @ 137. I also included a sniffer trace of a single
packet so you can see what is being sent.

03-16-2004 14:54:37 System0.Info router @out server 137 63.141.2.174 137
03-16-2004 14:39:12 System0.Info router @out server 137 198.30.198.132 137
03-16-2004 14:28:05 System0.Info router @out server 137 66.191.240.147 137
03-16-2004 14:27:05 System0.Info router @out server 137 66.62.251.253 137
03-16-2004 14:26:59 System0.Info router @out server 137 217.164.253.148 137
03-16-2004 14:17:35 System0.Info router @out server 137 194.171.12.79 137
03-16-2004 14:14:20 System0.Info router @out server 137 66.205.221.97 137
03-16-2004 14:13:02 System0.Info router @out server 137 202.54.117.102 137
03-16-2004 13:54:40 System0.Info router @out server 137 217.171.118.25 137
03-16-2004 13:46:24 System0.Info router @out server 137 12.242.18.34 137
03-16-2004 13:42:46 System0.Info router @out server 137 192.114.44.4 137
03-16-2004 13:41:59 System0.Info router @out server 137 82.166.194.115 137
03-16-2004 13:06:19 System0.Info router @out server 137 205.3.98.38 137
03-16-2004 13:06:11 System0.Info router @out server 137 204.235.105.130 137
03-16-2004 13:01:46 System0.Info router @out server 137 217.67.176.50 137
03-16-2004 12:52:49 System0.Info router @out server 137 221.3.141.40 137
03-16-2004 12:46:52 System0.Info router @out server 137 210.199.213.150 137
03-16-2004 12:41:59 System0.Info router @out server 137 219.237.120.245 137
03-16-2004 12:32:02 System0.Info router @out server 137 62.251.171.110 137
03-16-2004 11:57:00 System0.Info router @out server 137 82.177.70.234 137
03-16-2004 11:26:59 System0.Info router @out server 137 218.191.92.168 137
03-16-2004 11:21:01 System0.Info router @out server 137 63.219.128.82 137
03-16-2004 11:18:59 System0.Info router @out server 137 66.205.224.17 137
03-16-2004 11:08:37 System0.Info router @out server 137 216.245.140.23 137
03-16-2004 10:57:00 System0.Info router @out server 137 205.27.49.209 137
03-16-2004 10:56:54 System0.Info router @out server 137 205.40.234.218 137
03-16-2004 10:42:00 System0.Info router @out server 137 81.193.8.99 137
03-16-2004 10:28:10 System0.Info router @out server 137 80.239.57.84 137
03-16-2004 10:20:29 System0.Info router @out server 137 66.77.33.26 137


Frame 42 (92 bytes on wire, 92 bytes captured)
Arrival Time: Mar 15, 2004 14:45:02.379705000
Time delta from previous packet: 0.086549000 seconds
Time since reference or first frame: 45.839609000 seconds
Frame Number: 42
Packet Length: 92 bytes
Capture Length: 92 bytes
Ethernet II, Src: 00:10:a4:eb:a4:21, Dst: 00:20:78:c7:64:c6
Destination: 00:20:78:c7:64:c6 (10.254.215.1)
Source: 00:10:a4:eb:a4:21 (10.254.215.51)
Type: IP (0x0800)
Internet Protocol, Src Addr: 10.254.215.51 (10.254.215.51), Dst Addr:
217.179.171.230 (217.179.171.230)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 78
Identification: 0xb9b8 (47544)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x191b (correct)
Source: 10.254.215.51 (10.254.215.51)
Destination: 217.179.171.230 (217.179.171.230)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns
(137)
Source port: netbios-ns (137)
Destination port: netbios-ns (137)
Length: 58
Checksum: 0xbae3 (correct)
NetBIOS Name Service
Transaction ID: 0x9d6f
Flags: 0x0010 (Name query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Name query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... ...1 .... = Broadcast: Broadcast packet
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>: type
NBSTAT, class inet
Name:
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
(Workstation/Redirector)
Type: NBSTAT
Class: inet

0000 00 20 78 c7 64 c6 00 10 a4 eb a4 21 08 00 45 00 . x.d......!..E.
0010 00 4e b9 b8 00 00 80 11 19 1b 0a fe d7 33 d9 b3 .N...........3..
0020 ab e6 00 89 00 89 00 3a ba e3 9d 6f 00 10 00 01 .......:...o....
0030 00 00 00 00 00 00 20 43 4b 41 41 41 41 41 41 41 ...... CKAAAAAAA
0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0050 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!..

Any help you can provide would be appreciated.

Thanks,

Cj