[fw-wiz] Does W2k issue an NBNS query automatically following each unsuccessful reverse DNS query?

From: Jack Arenberg (gh0988@hotmail.com)
Date: 12/08/02


From: "Jack Arenberg" <gh0988@hotmail.com>
To: <firewall-wizards@honor.icsalabs.com>
Date: Sun Dec  8 09:48:01 2002

Hi fellas

I hope you can help me with the following problem.I think Zone Alarm Pro (or
Win2k) behaves in a strange way under a scan attempt from an IP address
which can't be reverse-resolved.
I'm running NAT/ICS over PPPoE/ADSL using Windows 2000 on the ICS server and
the clients.

It turns out that when an NBNS/NBSTAT scan attempt, or a TCP/IP SYN packet
comes in, (and DNS can't reverse resolve), the computer tries to respond and
do an outgoing NetBIOS query, although by looking at ZA logs, ZA claims it
has blocked the __incoming__ query (I have ZoneAlarm Pro).

I am attaching here the ZoneAlarm log, and a snort/Ethereal log. The
interesting packets are 1)-->, 2)<--, 3)--> and 4) <-- (incoming/outgoing
pairs).

2) & 4) shouldn't have happened, unless ZoneAlarm is trying to resolve the
attacking host name using NetBIOS after DNS failed in doing it. But then, if
this theory is right, ZA shouldn't block it from going out (in the same way
it doesn't block reverse DNS queries, see the attached Ethereal dump).
Another question is then, why can't ZoneAlarm do a pure DNS query?

Thanking in advance

ma0934

ZoneAlarm Pro, Ethereal log excerpts:

Note: my Internet Address is (obtained by DHCP through PPPoE): my.net.182.84
My DNS server (my ISP's DNS is): isp.dns.106.46

ZoneAlarm log excerpt:
FWIN,2002/12/04,17:37:44 +2:00 GMT,212.179.194.99:4787,
my.net.182.84:445,TCP (flags:S)
FWIN,2002/12/04,17:40:48 +2:00 GMT,80.56.132.234:1546,
my.net.182.84:2592,TCP (flags:S)
FWIN,2002/12/04,17:43:00 +2:00 GMT,80.56.132.234:2165,
my.net.182.84:2592,TCP (flags:S)
FWIN,2002/12/04,17:46:42 +2:00 GMT,80.56.132.234:3077,my.net.182.84:2592,TCP
(flags:S)
1) --> FWIN,2002/12/04,17:47:48 +2:00
GMT,12.106.207.130:1025,my.net.182.84:137,UDP
2) <-- FWOUT,2002/12/04,17:47:48 +2:00
GMT,my.net.182.84:1025,12.106.207.130:137,UDP
3) --> FWIN,2002/12/04,17:48:34 +2:00
GMT,195.244.38.252:2146,my.net.182.84:1433,TCP (flags:S)
4) <-- FWOUT,2002/12/04,17:48:34 +2:00
GMT,my.net.182.84:1025,195.244.38.252:137,UDP
.FWIN,2002/12/04,17:48:34 +2:00
GMT,195.244.38.252:2146,my.net.182.84:1433,TCP (flags:S)
FWIN,2002/12/04,17:50:30 +2:00 GMT,80.56.132.234:3941,my.net.182.84:2592,TCP
(flags:S)
FWIN,2002/12/04,17:57:48 +2:00 GMT,212.179.222.24:3682,my.net.182.84:445,TCP
(flags:S)
FWIN,2002/12/04,17:58:04 +2:00 GMT,80.56.132.234:1876,my.net.182.84:2592,TCP
(flags:S)
FWIN,2002/12/04,18:03:16 +2:00
GMT,200.170.151.242:10024,my.net.182.84:137,UDP
FWIN,2002/12/04,18:03:18 +2:00 GMT,206.48.252.243:1030,my.net.182.84:137,UDP

Consequences of 1) and 2) in the snort/Ethereal capture log:

1) --> Frame 234 (128 bytes on wire, 128 bytes captured)
Arrival Time: Dec 4, 2002 17:47:48.762915000
Ethernet II, Src: 00:90:d0:0e:94:67, Dst: 00:10:5a:46:e9:15 Destination:
00:10:5a:46:e9:15 (3COM_46:e9:15)
Source: 00:90:d0:0e:94:67 (ALCATEL_0e:94:67) Type: IP (0x0800)
Internet Protocol, Src Addr: 10.0.0.138 (10.0.0.138), Dst Addr: 10.0.0.1
(10.0.0.1) Version: 4 Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) Total
Length: 114 Identification: 0x913b Time to live: 64
Protocol: GRE (0x2f) Source: 10.0.0.138 (10.0.0.138) Destination: 10.0.0.1
(10.0.0.1)
Generic Routing Encapsulation (PPP) Flags and version: 0x3001 Payload
length: 82 Call ID: 32768 Sequence number: 1300
Protocol: IP (0x0021) Internet Protocol, Src Addr: 12.106.207.130
(12.106.207.130), Dst Addr: my.net.182.84 Version: 4
Header length: 20 bytes
User Datagram Protocol, Src Port: 1025 (1025), Dst Port: netbios-ns (137)
Length: 58
NetBIOS Name Service Transaction ID: 0x0100
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>:
type NBSTAT, class inet
Name:
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
(Workstation/Redirector)

Frame 235 (127 bytes on wire, 127 bytes captured)
Arrival Time: Dec 4, 2002 17:47:48.785067000
Ethernet II, Destination: 00:90:d0:0e:94:67 (ALCATEL_0e:94:67)Source:
00:10:5a:46:e9:15 (3COM_46:e9:15) Type: IP (0x0800)
Internet Protocol, Src Addr: 10.0.0.1 (10.0.0.1), Dst Addr: 10.0.0.138
(10.0.0.138)
Version: 4 Header length: 20 bytes Total Length: 113 Time to live: 128
Protocol: GRE (0x2f) Source: 10.0.0.1 (10.0.0.1) Destination: 10.0.0.138
(10.0.0.138) Generic Routing Encapsulation (PPP) Payload length: 77
Protocol: IP (0x0021) Internet Protocol, Src Addr: my.net.182.84, Dst Addr:
isp.dns.106.46 Version: 4 Header length: 20 bytes Time to live: 128
Protocol: UDP (0x11) Source: my.net.182.84 Destination: isp.dns.106.46
User Datagram Protocol, Src Port: 4474 (4474), Dst Port: domain (53) Length:
53
Domain Name System (query) Transaction ID: 0x033a
130.207.106.12.in-addr.arpa: type PTR, class inet

Frame 236 (230 bytes on wire, 230 bytes captured) Arrival Time: Dec 4, 2002
17:47:48.845598000
Destination: 00:10:5a:46:e9:15 (3COM_46:e9:15) Source: 00:90:d0:0e:94:67
(ALCATEL_0e:94:67)
Internet Protocol, Src Addr: 10.0.0.138 (10.0.0.138), Dst Addr: 10.0.0.1
(10.0.0.1) Version: 4 Header length: 20 bytes Total Length: 216
Identification: 0x913c Time to live: 64
Protocol: GRE (0x2f) Source: 10.0.0.138 Destination: 10.0.0.1
Generic Routing Encapsulation (PPP) Protocol Type: PPP (0x880b) Payload
length: 180 Call ID: 32768
Protocol: IP (0x0021) Src Addr: isp.dns.106.46, Dst Addr: my.net.182.84
Version: 4 Header length: 20 bytes Total Length: 176 Identification: 0x0be7
Time to live: 249
Protocol: UDP (0x11) Source: isp.dns.106.46 Destination: my.net.182.84
User Datagram Protocol, Src Port: domain (53), Dst Port: 4474 (4474)
Length: 156
Domain Name System (response)
Transaction ID: 0x033a 0011 = Reply code: No such name (3)
Queries 130.207.106.12.in-addr.arpa: type PTR, class inet
Answers
Class: inet Time to live: 1 day, 23 hours, 57 minutes, 46 seconds Data
length: 13 Primary name: 130.128/25.207.106.12.in-addr.arpa
Authoritative nameservers 128/25.207.106.12.in-addr.arpa: type SOA, class
inet, mname cbru.br.ns.els-gms.att.net
Type: Start of zone of authority Class: inet Time to live: 2 hours, 57
minutes, 46 seconds Data length: 66
Primary name server: cbru.br.ns.els-gms.att.net Responsible authority's
mailbox: hostmaster.mail.att.net Serial number: 1
Refresh interval: 23 hours, 3 minutes, 20 seconds Retry interval: 2 hours,
46 minutes, 40 seconds
Expiration limit: 6 days, 22 hours, 40 minutes Minimum TTL: 1 day

Consequences of 3) and 4) in the snort/Ethereal capture log:
3) --> Frame 269 (98 bytes on wire, 98 bytes captured) Arrival Time: Dec 4,
2002 17:48:35.850847000
Destination: 00:10:5a:46:e9:15 (3COM_46:e9:15) Source: 00:90:d0:0e:94:67
(ALCATEL_0e:94:67)
Type: IP (0x0800) Src Addr: 10.0.0.138, Dst Addr: 10.0.0.1 Version: 4 Header
length: 20 bytes Total Length: 84 Identification: 0x9157 Flags: 0x00 Time to
live: 64
Protocol: GRE (0x2f) Source: 10.0.0.138 Destination: 10.0.0.1 Generic
Routing Encapsulation (PPP) Flags and version: 0x3001 Protocol Type:
PPP (0x880b)
Payload length: 52 Call ID: 32768 Sequence number: 1304
Protocol: IP (0x0021) Internet Protocol, Src Addr: 195.244.38.252, Dst Addr:
my.net.182.84 Version: 4 Header length: 20 bytes
Total Length: 48 Identification: 0x4589 Flags: 0x04 Time to live: 114
Protocol: TCP (0x06) Source: 195.244.38.252 Destination: my.net.182.84
Src Port: 2146 (2146), Dst Port: ms-sql-s (1433), Seq: 2379778499, Ack:
Header length: 28 bytes Flags: 0x0002 (SYN) Window size: 64240 Maximum
segment size: 1460 bytes NOP NOP SACK permitted

Frame 270 (127 bytes on wire, 127 bytes captured) Arrival Time: Dec 4, 2002
17:48:35.888012000
Ethernet II, Dest: 00:90:d0:0e:94:67 (ALCATEL_0e:94:67) Source:
00:10:5a:46:e9:15 (3COM_46:e9:15)
Type: IP (0x0800), Src Addr: 10.0.0.1, Dst Addr: 10.0.0.138 Version: 4
Header length: 20 bytes
Total Length: 113 Identification: 0xbde3 Flags: 0x00 Time to live: 128
Protocol: GRE (0x2f) Generic Routing Encapsulation (PPP) Flags and version:
0x3081
Protocol Type: PPP (0x880b) Payload length: 77 Call ID: 0 Sequence number:
958 Ack number: 1304
Protocol: IP (0x0021) Src Addr: my.net.182.84, Dst Addr: isp.dns.106.46
Version: 4 Header length: 20 bytes Total Length: 73 Identification: 0xbde2
Flags: 0x00
Protocol: UDP (0x11) Src Port: 4477 (4477), Dst Port: domain (53) Length: 53
Domain Name System (query) Transaction ID: 0x033d Flags: 0x0100 (Standard
query) Queries 252.38.244.195.in-addr.arpa: type PTR, class inet

Frame 271 (182 bytes on wire, 182 bytes captured) Arrival Time: Dec 4, 2002
17:48:35.952346000
Ethernet II, Dst: 00:10:5a:46:e9:15 (3COM_46:e9:15) Src: 00:90:d0:0e:94:67
(ALCATEL_0e:94:67)
Type: IP (0x0800) Src: 10.0.0.138, Dst: 10.0.0.1 Version: 4 Header length:
20 bytes Total Length: 168 Identification: 0x9158 Flags: 0x00 Time to live:
64
Protocol: GRE (0x2f) Source: 10.0.0.138 Destination: 10.0.0.1 Generic
Routing Encapsulation (PPP) Flags and version: 0x3081 Type: PPP
(0x880b)
Payload length: 132 Call ID: 32768 Sequence number: 1305 Acknowledgement
number: 958
Protocol: IP (0x0021) Src: isp.dns.106.46, Dst: my.net.182.84 Version: 4
Header length: 20 bytes
Total Length: 128 Identification: 0x0bea Flags: 0x04 Time to live: 249
Protocol: UDP (0x11) Src Port: domain (53), Dst Port: 4477 Length: 108
Domain Name System (response) Transaction ID: 0x033d Flags: 0x8183 (Standard
query response, No such name)
Queries 252.38.244.195.in-addr.arpa: type PTR, class inet
Authoritative nameservers 195.in-addr.arpa: type SOA, class inet, mname
ns.ripe.net
Type: Start of zone of authority
Time to live: 1 hour, 58 minutes, 53 seconds Data length: 43 Primary name
server: ns.ripe.net
Responsible authority's mailbox: ops-195.ripe.net
Refresh interval: 12 hours Retry interval: 2 hours Expiration limit: 14 days
Minimum TTL: 2 hours



Relevant Pages