DDOS vulnerability and UDP amplification attacks in open netbios service

Software Affected:

• Microsoft Windows NT 4.0 Workstation
• Microsoft Windows NT 4.0 Server
• Microsoft Windows NT 4.0 Server, Enterprise Edition
• Microsoft Windows NT 4.0 Server, Terminal Server Edition
• Microsoft Windows 2000

Abstract:

NetBIOS (Network Basic Input/ Output System) is a network service that enables applications on different computers to communicate with each other across a local area network (LAN). Openly accessible NetBIOS service may lead to information disclosure or may allow an unauthorized remote attacker to launch UDP amplification attacks from the targeted machine.

Technical Description:

NetBIOS includes a name service, often called WINS on Microsoft Windows operating systems and the NetBIOS name service uses port 137/udp. This service is only needed within local networks and with systems before Microsoft Windows 2000 which require name resolution through WINS. Otherwise, in particular on the Internet, name resolution is done via DNS, thus making it unnecessary to expose a NetBIOS name service to the Internet. IP address(s) that are not firewalled from the internet on port 137/udp leading to openly accessible NetBIOS service and answering the name resolution queries, can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Vulnerability Assessment:

To verify the vulnerability, it is advised to execute the command mentioned below from external network:

Command:

• nmblookup -A <ip address>

An openly accessible NetBIOS name service will return information such as Hostname, Workgroup, MAC Address etc.

Otherwise, nmblookup will run into a timeout.

Countermeasures and Best practices for prevention:

• It is advised to kindly disable the open NetBIOS service, if NetBIOS-over-TCP/IP is not needed.
• In case, if it is in use, restrict access to the NetBIOS name service to trusted clients, e. g. by blocking incoming connections to port 137 tcp/udp on the firewall. For security reasons, consider blocking access to ports 135, 138, 139 and 445 from anywhere on the Internet as well.
• On Linux/Unix systems, the NetBIOS name service is usually provided by 'nmbd' included with Samba. Disable SMB services if you are not using them. Otherwise, NetBIOS support can be disabled by setting disable netbios = Yes in the Samba configuration
• Use your firewall to filter inbound connections to SMB and NetBios/NetBT services, and only allow the trusted IPs and hosts.
• Disable system’s ability to support null sessions.
• Use strong password for administration account and for shares also.
• Disable the guest login.
• Do not allow access to the root directory or windows/WinNT directories of the HDD via share.
• Block external access at the network boundary, unless required.
• Run all software as a no privileged user with minimal access rights.
• Implement multiple redundant layers of security.
• Deploy network intrusion detection systems to monitor network traffic for malicious activity.

Solution:

Apply the best security practices available at:

• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-047

References:

• https://www.us-cert.gov/ncas/alerts/TA14-017A
• https://www.techrepublic.com/article/how-netbios-name-resolution-really-works/
• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-047