[19414] in North American Network Operators' Group
Re: Crazy flying netbios packets
daemon@ATHENA.MIT.EDU (Samuel Gunnestad)
Fri Sep 11 05:17:12 1998
Date: Fri, 11 Sep 1998 11:05:00 +0200 (MET DST)
From: Samuel Gunnestad <samuel@nextel.no>
Reply-To: Samuel Gunnestad <samuel@nextel.no>
To: blast <blast@broder.com>
cc: Eric Germann <ekgermann@cctec.com>, Pete Ashdown <pashdown@xmission.com>,
nanog@merit.edu
In-Reply-To: <Pine.BSI.4.02.9809030736540.305-100000@pillbox.broder.com>
On Thu, 3 Sep 1998, blast wrote:
> There is a very popular WWW log analysis program by the name of
> WebTrends. It is run on a Win32 platform and when processing
> GIGs of www access-logs, it will uni-cast for WINS resolution to
> every foreign IP if finds for WINS name resolution, fail,
> and then use DNS for resolution.
>
> My fear (uneducated on the matter) is that it is not WebTrends but
> Microsoft's gethostbyaddr() call which would mean that this type of
> crazy 137/udp WINS resolution traffic is more commonly mis-used than
> we think.
I agree.
As an ISP, we receive huge amounts of netbios traffic (which is blocked by our acl's and causes our logs to get pretty ugly).
The customer pays dearly for this "hack": as the telco bills the customer for every initial connection and also further use.
Most single-users get pretty upset when they receive a phone bill of $3000.
It's easy to fix if you have the knowledge about how, but most single-users don't.
(Port 137 packets denied yesterday: 30000+)
Samuel Gunnestad
Telenor Nextel
--
"If you park, don't drink, accidents cause people." - Confusius
