NetBIOS name server protocol spoofing

Christopher R. Hertel crh at
Mon Aug 7 21:36:43 GMT 2000

Basic rule: prevent port 137/UDP from crossing your border.

> On Fri, 4 Aug 2000, Peter Polkinghorne wrote:
> > Summary: machines can be asked to give up NetBios names, by means of
> > name conflict and name release requests.
> > I did have a quick look at the code, but apart from no obvious ref to
> > conflict packets could not determine.
> > Is Samba vulnerable to this problem?
> > Here is the Microsoft take on it (very carefully worded):
> >
> > Their fix is to have a registry setting to ignore such packets.  They point
> > out that this is potentially dangerous.  I do not think this is a big
> > issue - it is just another DoS attack.
> AFAIK, sending a netbios packet will not cause a Samba server to give up its
> name on the network.  Samba is very persistent in this regard -- it will
> continue trying to claim the name (and anything else it's configured for) no
> matter what other machines on the network might tell it.  I believe this name
> conflict / name release 'feature' of NT is also what allows you to hijack an
> NT domain when the PDC reboots..
> Steve Langasek
> postmodern programmer

Christopher R. Hertel -)-----                   University of Minnesota
crh at              Networking and Telecommunications Services

    Ideals are like stars; you will not succeed in touching them
    with your choose them as your guides, and following
    them you will reach your destiny.  --Carl Schultz

More information about the samba-technical mailing list