Log flooded with port 137 & 138 UDP
-
Dear community,
My logs are being flooded with what seems to be broadcasts relating to NetBIOS traffic. I'm running a heavy Windows environment, so I suppose it's normal.
I just wanted to check with you guru's if there is anything I have done wrong, or if I should just allow the traffic to pass through.
My shares and Windows functionality seems to be in good shape(working).
Basically I'm looking for an answer to what this broadcast is about? Is it normal or a misconfiguration?
Please see attachments for log entry and system overview.
EDIT:
10.11.10.11 = DC1
10.11.10.12 = DC2Thanks for any replies
BR Jim
-
What do you consider flooded? Yeah windows machines will normally send traffic out on 137 and 138.. Take a sniff and look at the traffic..
Example - just fired up computer browser service on my vm in my dmz, its like to send out this stuff..
Not really anything you can do from reaching your other machines. Pfsense is not going to route the traffic anywhere, so you can try to turn this sort of stuff of at the nodes or just tell pfsense not to log the noise. Those are all to 138 udp.
-
Thanks for your reply, John.
Can you explain how I stop the log from being spammed?
It's quite a heavy amount of entries, see new attachment below.
BR Jim
-
Can you explain how I stop the log from being spammed?
This traffic is being caught by the Default Deny rule, which is set to log all blocks. If you want to ignore this traffic, create a firewall rule to specifically block this traffic and set it to not log. From then on, that traffic will be blocked but not logged.
-
Thanks KOM,
Would attached be the correct way of doing this?
BR Jim
-
Looks OK to me. Test it and see if your log entries disappear.
-
Thanks for your assistance :) Looks like that finally god rid of em.
BR Jim
-
where do you see that is the default deny rule? He is not listing the rules.. So how do you know its default deny without seeing the rest of his rules. Like I said pfsense is not going to forward that traffic anyway. You must have the vlan really locked down if default deny is listing that. Why don't you turn on so that you can see what rule is blocking - I thought that was the new default in 2.2.2?
I see those in my dmz because its locked down very tight.. But I just turn that shit off on the client, seeing it in the logs is a reminder that box is sending out noise and to turn it off at the source vs just hiding the noise from your logs doesn't mean the noise is not still there.
-
To me it seems like it's NetBIOS traffic being sent from my 2 domain controllers to the VLAN10 broadcast. I guess they're polling for clients to index in the network browser.
My rules for VLAN10 are attached, any further input is greatly appreciated.
BR Jim
-
How is your network browsing going to work when there are no clients on your server segment to list? Like I said what is the point of just not logging the traffic. Why don't you turn off the noise at the source dc1 and 2?? For the network browser to work there needs to be a master browser on each segment and 1 for the domain, etc.
Why don't you just turn off the ability for those machines to be master browser, etc. Disable the computer browsing service, etc.
Did you sniff the traffic and look to what it was? If you see what you think is lot of traffic and you don't really understand what it is - why would you not understand what it is before you just don't log it? Could point to a misconfiguration on the machine that should be fixed and not really just ignored.
So when your check engine light comes on in your car, do you just put a piece of tap over the light? Or do you look to see what is turning on the light? Floods of traffic should be investigated and corrected not just ignored if you ask me.
-
Hi John,
Thanks a lot for the insightful information. I have started to investigate the traffic now. Generally it is NetBIOS broadcasts which could be ignored or disabled, since NetBIOS can now be served over DNS in stead.
In regards to the "engine light" analogy, I completely agree! Sometimes one just requires a real world simple comparison of an otherwise more complex problem.
Have a nice day
BR Jim -
where do you see that is the default deny rule? He is not listing the rules.. So how do you know its default deny without seeing the rest of his rules.
Educated guess. Only his main LAN gets an auto-rule. All others are empty. He is blocking NETBIOS traffic without knowing what, where or why, which leads me to believe it's the default deny rule. It doesn't take the Scooby Gang to figure that mystery out.
