How do I stop outgoing NETBIOS Traffic?

  • Thread starter Thread starter Jeremy
  • Start date Start date
J

Jeremy

I have a win2k domain controller running WINS, DNS. The domain only
has a few machines as it is a development environment. A few days ago
I noticed I had some problems getting any machine to establish any
sort of outside connection (HTTP, FTP)...even directly to the linksys
router. After investigatin further I noticed the domain controller was
broadcasting a tremendous amount of data. If I disconnected the domain
controller from the router I got outside connectivity back. I
installed a packet sniffer a saw nearly 4 of these per second:

netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.49
netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.50
netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.51
netbios-ssn Source: 192.168.1.100 Destination: xxx.xxx.xxx.52
....

The destination is continual and sequential.

when I view via netstat -a:

TCP MyMachineName:1944 0.0.216.100:netbios-ssn SYN_SENT
TCP MyMachineName:1945 0.0.216.101:netbios-ssn SYN_SENT
TCP MyMachineName:1946 0.0.216.102:netbios-ssn SYN_SENT
TCP MyMachineName:1947 0.0.216.103:netbios-ssn SYN_SENT
....

These requests start at 0.0.0.0 and continiue forever.

The packets are hitting machines in Seattle, Minnesota, LA,
etc...nothing to do with my internal domain.

After doing some Googling I found that many reccomended disabling
netbios over TCP which I did but still encountered the same activity.

What is this? Is this virus activity or normal behaivior...if it's
normal behavior I want to disable it because I can't even get to my
own router with out disconnecting the "packet pushing" domain
controller let alone other resources.

Thanks in advance for any suggestions!
 
Back
Top