J
Jeremy
I have a win2k domain controller running WINS, DNS. The domain only
has a few machines as it is a development environment. A few days ago
I noticed I had some problems getting any machine to establish any
sort of outside connection (HTTP, FTP)...even directly to the linksys
router. After investigatin further I noticed the domain controller was
broadcasting a tremendous amount of data. If I disconnected the domain
controller from the router I got outside connectivity back. I
installed a packet sniffer a saw nearly 4 of these per second:
netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.49
netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.50
netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.51
netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.52
....
The destination is continual and sequential.
when I view via netstat -a:
TCP MyMachineName:1944 0.0.216.100:netbios-ssn SYN_SENT
TCP MyMachineName:1945 0.0.216.101:netbios-ssn SYN_SENT
TCP MyMachineName:1946 0.0.216.102:netbios-ssn SYN_SENT
TCP MyMachineName:1947 0.0.216.103:netbios-ssn SYN_SENT
....
These requests start at 0.0.0.0 and continiue forever.
The packets are hitting machines in Seattle, Minnesota, LA,
etc...nothing to do with my internal domain.
After doing some Googling I found that many reccomended disabling
netbios over TCP which I did but still encountered the same activity.
What is this? Is this virus activity or normal behaivior...if it's
normal behavior I want to disable it because I can't even get to my
own router with out disconnecting the "packet pushing" domain
controller let alone other resources.
Thanks in advance for any suggestions!
has a few machines as it is a development environment. A few days ago
I noticed I had some problems getting any machine to establish any
sort of outside connection (HTTP, FTP)...even directly to the linksys
router. After investigatin further I noticed the domain controller was
broadcasting a tremendous amount of data. If I disconnected the domain
controller from the router I got outside connectivity back. I
installed a packet sniffer a saw nearly 4 of these per second:
netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.49
netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.50
netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.51
netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.52
....
The destination is continual and sequential.
when I view via netstat -a:
TCP MyMachineName:1944 0.0.216.100:netbios-ssn SYN_SENT
TCP MyMachineName:1945 0.0.216.101:netbios-ssn SYN_SENT
TCP MyMachineName:1946 0.0.216.102:netbios-ssn SYN_SENT
TCP MyMachineName:1947 0.0.216.103:netbios-ssn SYN_SENT
....
These requests start at 0.0.0.0 and continiue forever.
The packets are hitting machines in Seattle, Minnesota, LA,
etc...nothing to do with my internal domain.
After doing some Googling I found that many reccomended disabling
netbios over TCP which I did but still encountered the same activity.
What is this? Is this virus activity or normal behaivior...if it's
normal behavior I want to disable it because I can't even get to my
own router with out disconnecting the "packet pushing" domain
controller let alone other resources.
Thanks in advance for any suggestions!