TIP: Click on subject to list as thread! ANSI
echo: novell
to: ALL
from: `Tim Banner`
date: 2000-09-19 00:00:00
subject: Unwanted Internet Connection Through Dial on Demand
From: "Tim Banner" 
Subject: Unwanted Internet Connection Through Dial on Demand
Date: 2000/09/19
Message-ID: #1/1
Organization: Virgin Net Usenet Service
NNTP-Posting-Date: Tue, 19 Sep 2000 15:27:50 BST
Newsgroups: alt.os.linux.dial-up,alt.windows98,comp.os.linux.networking,comp.os.ms-windows.networking.misc,comp.os.ms-windows.networking.tcp-ip,comp.os.netware.connectivity,comp.os.netware.misc,fido.novell

I'm sorry for the cross posting, but I've been trying to sort this problem
out for quite some time.

I'm currently having a problem with unwanted Internet connections, which I
suspect is due to NetBIOS name resolution over DNS.  We have Netware 4.2
servers, which act only as file servers, a Linux server with Samba server
(an NT compatible server based upon SMB/NetBIOS) installed, it's also runs
Proxy/Masquerading, DNS, packet filtering.  And a mixture of Win 95/98
workstations.  The Linux server is our connection to the outside via Dial on
demand modem, however we had this problem when we used one of the Netware
server for Dial on Demand.

I've ensured that all workstations are within the same Domain/workgroup, as
going between Workgroups/domains caused connections.  I've used Samba's WINS
server to help reduce Name resolution, since all unwanted connections are
followed by DNS requests I've added every workstation to our DNS server (not
much fun I can tell you ;), I've also denied TCP and UDP packets of Ports
137->139 (NetBIOS) across the PPP link.

But we still are getting unwanted connections (albeit not at such a regular
intervals, up to 10 per day).

Below is a snippet of a tcpdump capture over the Linux PC's ethernet card.
As you can see in the second set the workstation requests
222.190.31.255:netbios-dgm (138), which is out of the 192.168.1.0/24 range
we use.

13:23:37.546549 bcmbo98br000066.bridgec.bgws.org.uk.netbios-dgm >
192.168.1.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x206 IP=192.168.1.21 Port=138
Length=195 Res2=0x0
SourceName=BCMBO98BR000066 NameType=0x00 (Workstation)
DestName=BRIDGE          NameType=0x1D (Master Browser)

SMB PACKET: SMBtrans (REQUEST)
SMB Command   =  0x25
Error class   =  0x0
Error code    =  0
Flags1        =  0x0
Flags2        =  0x0
Tree ID       =  0
Proc ID       =  0
UID           =  0
MID           =  0
Word Count    =  17
TotParamCnt=0
TotDataCnt=


13:23:37.547584 bcof198br000083.bridgec.bgws.org.uk.netbios-dgm >
222.190.31.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x111A ID=0xAC IP=192.168.1.10 Port=138
Length=206 Res2=0x0
SourceName=BCOF198BR000083 NameType=0x00 (Workstation)
DestName=BRIDGE          NameType=0x1D (Master Browser)

SMB PACKET: SMBtrans (REQUEST)
SMB Command   =  0x25
Error class   =  0x0
Error code    =  0
Flags1        =  0x0
Flags2        =  0x0
Tree ID       =  0
Proc ID       =  0
UID           =  0
MID           =  0
Word Count    =  17
TotParamCnt=0
TotDataCnt=


13:23:37.566950 bcmbo98br000084.bridgec.bgws.org.uk.netbios-dgm >
192.168.1.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x84 IP=192.168.1.31 Port=138
Length=197 Res2=0x0
SourceName=BCMBO98BR000084 NameType=0x00 (Workstation)
DestName=BRIDGE          NameType=0x1D (Master Browser)


The following is a tcpdump of the PPP Interface at that time:

13:23:37.558157 intranet.bridgec.bgws.org.uk.1054 > 194.168.4.100.domain:
31690+ PTR? 255.31.190.222.in-addr.arpa. (45)
13:23:37.571275 intranet.bridgec.bgws.org.uk.1054 > 194.168.4.100.domain:
12249+ A? SUNIC.SUNET.SE. (32)
13:23:37.572018 intranet.bridgec.bgws.org.uk.1054 > 194.168.4.100.domain:
60156+ A? MUNNARI.OZ.AU. (31)


Sorry that it's harder to read through word wrapping.  The address
222.190.31.255 (Broadcast?) only appears once in the Ethernet tcpdump, and
the ppp dump only appears to have dns requests for this ip address in that
session.  However since the request for 222. was on port 138 it should have
been blocked.  I don't think this is what caused the connection, but because
this workstation address wasn't know I suspect the WINS server did a DNS
query.

Any suggestions as to what may be causing my unwanted connections?  Any idea
why this workstations (coincidentally it was mine) is requesting IP
addressees out of it's domain?  Do anybody have a pill that restores sanity,
or hair loss during trouble shooting?

Regards

Tim Banner
admin.bridgecDELETEUPPERCASETEXT@virginnet.co.uk

Please remove the UPPERCASE TEXT from the e-mail address above, this is an
anti-spam measure.  Thanks.
SOURCE: echoes via archive.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.