Date:        1/13/98 9:17:14 AM
From:        Luke Kenneth Casson Leighton <lkcl@SWITCHBOARD.NET>
Subject:     Re: FW: Application for port-number
To:          ("<CIFS@DISCUSS.MICROSOFT.COM>"@LOCAL)

> > reason for blocking port 139 is SMB.
> >
> > both of the attacks you mention are on port 137 and use UDP.
> >
> Not entirely true; if I remember correctly, if I set up a netbios connection
> to a machine and use a "calling name" of XXX, I think that that will add XXX
> and my IP address to the name cache, just as if I had sent it a NetBIOS
> datagram purporting to come from XXX.

that might be the case on the NT or Win95 implementation of an SMB server,
because of the NT/Win95 NetBIOS kernel.  it certainly isn't the case for
Samba (which runs as two daemons on ports 137-139).

why on _earth_ would you want to add an ip/netbios name pair from an
unverified source?  that's _asking_ for trouble.  oh, i know.  because if
you don't, then the NetBIOS kernel doesn't know where to respond back to
(the NT and Win95 NetBIOS kernel has abstraction from its underlying
transport: tcp/ip, ipx/spx, netbeui, other).

you've just given us a clue as to what the _real_ problem was with the
SMB "protocol-down-grade" attack (see http://www.argo.demon.co.uk) from
web browsers.

luke

----------------------------------------------------------------
Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://discuss.microsoft.com/archives/index.html