This is simply DNS using WINS-R for reverse zones; as most of you should
know, this is a checkbox away in NT's DNS.
Although WINS uses a database, WINS-R won't even try to look it up. What
all WINS servers do is issue a direct "nbname" query to the "originating
IP", asking its NetBIOS name.
An example? Suppose your system's IP isn't mapped on any DNS (i.e., DNS
PTR query will fail) and you are acessing a www server that uses a
MS-DNS box configured to use a WINS server for WINS-R; the DNS will fail
using "normal" methods and will try using the WINS server. The WINS
server will try to resolv your IP the only way it knows; how? Issuing a
direct "nbname" query to your system, thus generating the "attack".
This becomes even funnier in case of "dual homed" WINS servers, where
the originating IP is sometimes the internal one (i.e., invalid
networks).
Solution: drop and ignore all udp port 137 packets on your
firewalls/routers and make sure your MS DNS *doesn't* use WINS-R for
reverse resolution.
--
Rui Pedro Bernardino / Av. Miguel Bombarda, 4, 8o / 1049-058 Lisboa /
Portugal
Hmmm ... a PINHEAD, during an EARTHQUAKE, encounters an ALL-MIDGET
FIDDLE ORCHESTRA ... ha ... ha ...
S/MIME Cryptographic Signature
