Printable View
So, it was a normal night, I was chillin online doing my thing. Then I started looking at my firewall logs and found that everytime I log on to AOL Instant Messenger, I can see my firewall block NETBIOS traffic to an AIM address. Why on earth is AOL attempting a Netbios connection? Check it out for yourself...anybody know whats up with that?
Block NetBIOS Traffic *NetBIOS 64.12.26.41 NETBIOS_NS Outbound UDP
I don't have or use AIM so I couldn't duplicate your test, but I did start my yahoo messenger and msn messenger. The msn messenger didn't produce any results, but when I started yahoo, my firewall blocked 2 program access requests from Yahoo updater. I also remember denieing that when I was configureing my firewall so it is not a suprise to me.
It could be that the messenger program is trying to send info out on that port, And seeing that is a netbios port usually, the scanner thought that this traffic what actually netbios traffic?
The key here is this: NETBIOS_NSQuote:
Originally posted here by Dr Toker
So, it was a normal night, I was chillin online doing my thing. Then I started looking at my firewall logs and found that everytime I log on to AOL Instant Messenger, I can see my firewall block NETBIOS traffic to an AIM address. Why on earth is AOL attempting a Netbios connection? Check it out for yourself...anybody know whats up with that?
Block NetBIOS Traffic *NetBIOS 64.12.26.41 NETBIOS_NS Outbound UDP
Your system is essentially trying to use netbios to resolve names. This is default Windows behaviour (especially Win2k/XP) and unless you disable netbios over tcp/ip and unbind the netbios services (which will kill microsoft network), there really isn't anyway to stop this. Essentially Windows uses the netbios name service as a fallback to DNS (considering that M$ now calls bind 'legacy DNS', that should be a rough approximation on how they do things... :rolleyes: ). It usually will not resort to netbios unless it is either a last effort to resolve the name, part of microsoft networking, or specifically built into the product you are using (in this case AOL instant messenger, webtrends is another program that does this).
My guess it is built into it to check netbios names...
Regardless, I wouldn't worry about it too much.
/nebulus
EDIT:
I find the chances of this to be almost 0%, even though possible. AOL to my knowledge doesn't use UDP datagrams in that fashion, but rather uses TCP. On top of that, picking port 137 would be very ill-advised in that many locations prevent that port from being used from outside of their internal networks. While possible, I think it is much more plausible that the program is simply trying to resolve a name...Quote:
It could be that the messenger program is trying to send info out on that port, And seeing that is a netbios port usually, the scanner thought that this traffic what actually netbios traffic?
This is what I suspected. Thanks for the insight, I really wasn't worried about it as much as I was curious. I am trying to get a base-line of what "normal" behavior should look like. Thanks for your help.