RE: With SP1, zillions of port 137 and 138 denials
- From: v-jerryz@xxxxxxxxxxxxxxxxxxxx (Jerry zhao (MSFT))
- Date: Tue, 14 Jun 2005 07:09:50 GMT
Hi Imer,
Thanks for your post.
The UDP 137 is a kind of "NETBIOS Name Service" communication port and the
UDP 138 is a kind of "NETBIOS Datagram Service" communication port.
Generally, computers will keep sending out NETBIOS packets (UPD broadcast).
The WINS name services depend on them.
As the ISA 2004 can also monitor the internal network and it blocks the
port 137 and 138, the errors will be recorded with no doubt. Based on my
knowledge, this should be a normal behavior. So, if there is no other error
message, you can ignore them.
Meanwhile, could you let me know what the source address is?
As for the "Windows Firewall spoof errors", could you let up know the exact
error description?
If you encounter any difficulties or have any concerns, feel free to let me
know. I look forward to your update.
For your information:
The NetBIOS Name Server (NBNS) protocol, part of the NetBIOS over TCP/IP
(NBT) family of protocols, is implemented in Windows systems as the Windows
Internet Name Service (WINS). By design, NBNS allows network peers to
assist in managing name conflicts. Also by design, it is an unauthenticated
protocol and therefore subject to spoofing. A malicious user could misuse
the Name Conflict and Name Release mechanisms to cause another machine to
conclude that its name was in conflict. Depending on the scenario, the
machine would as a result either be unable to register a name on the
network, or would relinquish a name it already had registered. The result
in either case would be the same - the machine would not respond requests
sent to the conflicted name anymore.
If normal security practices have been followed, and port 137 UDP has been
blocked at the firewall, external attacks would not be possible. A patch is
available that changes the behavior of Windows systems in order to give
administrators additional flexibility in managing their networks. The patch
allows administrators to configure a machine to only accept a name conflict
datagram in direct response to a name registration attempt, and to
configure machines to reject all name release datagrams. This will reduce
but not eliminate the threat of spoofing. Customers needing additional
protection may wish to consider using IPSec in Windows 2000 to authenticate
all sessions on ports 137-139.
Best regards,
Jerry Zhao (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- Re: With SP1, zillions of port 137 and 138 denials
- From: Imer Satz
- Re: With SP1, zillions of port 137 and 138 denials
- References:
- With SP1, zillions of port 137 and 138 denials
- From: Imer Satz
- With SP1, zillions of port 137 and 138 denials
- Prev by Date: RE: Creating multiple backup configurations using the Backup Wizard
- Next by Date: RE: Customise / stop fax wizard
- Previous by thread: With SP1, zillions of port 137 and 138 denials
- Next by thread: Re: With SP1, zillions of port 137 and 138 denials
- Index(es):
Relevant Pages
|
