Has anyone done any estimates on how much net-wide traffic is useless
netbios udp? Are there any suggestions for cutting large chunks of this
out of my network without punishing SAMBA and other users who need it?
Has anyone done any estimates on how much net-wide traffic is useless
netbios udp?
No. But then again, theres a lot of useless traffic, i.e. Phlegm-ings
rants currently on the ietf list (at least he's not on NANOG, whew)
Are there any suggestions for cutting large chunks of this
out of my network without punishing SAMBA and other users who need it?
1. Implement WINS within the organization and set the netbios node type to
h node (0x8) This will force the netbios stack to use a wins lookup and
then a lookup via broadcast.
2. Implement WINS within the organization and set the netbios node type to
p node (0x4?) This forces the client to ONLY use the WINS server. Note
every server has to be registered in the wins database.
Neither of these affect DNS resolution.
Also, try blocking udp and tcp ports 137, 138 and 139 at your borders.
Wins, properly implemented, can eliminate about 90%+ of useless name
resolution traffic.
Anxiously waiting for Fraziers Linux response 
Eric
Pete Ashdown wrote:
Has anyone done any estimates on how much net-wide traffic is useless
netbios udp? Are there any suggestions for cutting large chunks of this
out of my network without punishing SAMBA and other users who need it?
Has anybody done an estimate on how much net-wide traffic is useless 
1. Implement WINS within the organization and set the netbios node type to
h node (0x8) This will force the netbios stack to use a wins lookup and
then a lookup via broadcast.
2. Implement WINS within the organization and set the netbios node type to
p node (0x4?) This forces the client to ONLY use the WINS server. Note
every server has to be registered in the wins database.Neither of these affect DNS resolution.
Also, try blocking udp and tcp ports 137, 138 and 139 at your borders.
Wins, properly implemented, can eliminate about 90%+ of useless name
resolution traffic.
These are all very good suggestions. Blocking 137/udp, 138/udp, and
139/tcp is a very good idea if you can afford to do that.
At a minimum, one should block 137/udp at your border's egress and
here is one compelling reason why:
There is a very popular WWW log analysis program by the name of
WebTrends. It is run on a Win32 platform and when processing
GIGs of www access-logs, it will uni-cast for WINS resolution to
every foreign IP if finds for WINS name resolution, fail,
and then use DNS for resolution.
My fear (uneducated on the matter) is that it is not WebTrends but
Microsoft's gethostbyaddr() call which would mean that this type of
crazy 137/udp WINS resolution traffic is more commonly mis-used than
we think.
-Tim Keanini
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\ Tim Keanini | "The limits of my language, /
/ | are the limits of my world." \
\ blast@broder.com | --Ludwig Wittgenstein /
\ +================================================/
>Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 |
/ PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
I agree.
As an ISP, we receive huge amounts of netbios traffic (which is blocked by our acl's and causes our logs to get pretty ugly).
The customer pays dearly for this "hack": as the telco bills the customer for every initial connection and also further use.
Most single-users get pretty upset when they receive a phone bill of $3000.
It's easy to fix if you have the knowledge about how, but most single-users don't.
(Port 137 packets denied yesterday: 30000+)
Samuel Gunnestad
Telenor Nextel