This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

nbns outbound packets from single machine, flooding router

0

I have a lenovo laptop, windows 8.1, which apparently recently started flooding the network with nbns packets to a block of ip addresses, which then floods the router. Shortly after unplugging the physical cable or turning off wifi, as it happens over either interface, will clear the problem and other devices can now access the internet. Any additional info on this "flood" would be great:

Here is a partial listing from Wireshark (the destination 203.52.141.70 will run sequentially until the last in about 10 seconds of 203.52.255.178, the 3 trials I have run I get differing ip hosts)

117 5.825761    192.168.1.14    203.52.141.70   NBNS    92  Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

Frame 117: 92 bytes on wire (736 bits), 92 bytes captured (736 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Mar 15, 2016 12:03:30.988206000 Eastern Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1458057810.988206000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 5.825761000 seconds]
Frame Number: 117
Frame Length: 92 bytes (736 bits)
Capture Length: 92 bytes (736 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:nbns]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Internet Protocol Version 4, Src: 192.168.1.14, Dst: 203.52.141.70
0100 …. = Version: 4
…. 0101 = Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 78
Identification: 0x7d2e (32046)
Flags: 0x00
Fragment offset: 0
Time to live: 128
Protocol: UDP (17)
Header checksum: 0xa33f [validation disabled]
Source: 192.168.1.14
Destination: 203.52.141.70
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]

URL: https://www.cloudshark.org/captures/8635910ab655

asked 15 Mar ‘16, 08:49

mmarckese's gravatar image

mmarckese
11115
accept rate: 0%

edited 15 Mar ‘16, 10:40

Please publish the complete capture file somewhere (preferably cloudshark but dropbox, google drive, MS one drive should do as well) for login-free access and edit your question with a link to it. By text dump of packet headers no one can help you.

The capture should include the beginning of the flood, i.e. if you capture on the laptop which is the source of the flood, you should boot it while isolated from the network in a way which allows to start the capture (i.e. the interface needs to be physically up), then start the capture, and then “unplug” the communication. You may use firewall settings to do that, or another switch which you would connect to the PC before booting it but only connect it to the network after starting the capture.

If you cannot post the capture for privacy reasons, check whether shaving off the payload above the tcp layer using tracewrangler would be secure enough for you.

(15 Mar ‘16, 09:07) sindy

Hopefully this will help: URL: https://www.cloudshark.org/captures/8635910ab655

(15 Mar ‘16, 10:38) mmarckese

One Answer:

1

Hm, my conclusion is that your notebook has become a zombie in a botnet, and its boss asks it to take part in DDoS-attacks to various networks (note that in this capture, the tagret network differs from the one you've mentioned in your Question).

The "NBNS" packets your notebook sends contain a bogus payload, and the "recipient" (actually, target) or some firewall in front of it already filter the attack - see e.g. packet 71, which is an icmp message informing you that you've been blacklisted.

The reason why I wanted to see the very beginning after boot was to see the control process of the zombie "calling home" for instruction whom to attack.

I'd recommend to cut the laptop off the network immediately and use some good anti-virus software to clean it up. It may be necessary to use a bootable anti-virus or to connect the disk from the laptop as an additional disk to another computer as some viruses can get active before the anti-virus and fool it.

answered 15 Mar '16, 11:09

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Excellent, to you not the situation. Thank You.

(15 Mar '16, 11:26) mmarckese