The NetBIOS protocol contains a vulnerability that allows a Windows VPS which has this service enabled to be used in an amplification DDoS attack.
In this article we'll explain the risk of the vulnerability in the NetBIOS service, and show how you can secure your VPS against abuse of the NetBIOS service.
The NetBIOS vulnerability
NetBIOS is a data communication protocol with which external systems/applications can communicate over a local network. For example, it was used to gain remote access to shared folders on an internal network.
The NetBIOS service is now out of date and is hardly used anymore. If the NetBIOS service is still enabled and is publicly accessible, NetBIOS can be abused in an amplification (D)DoS attack.
Simply put, in an 'amplification attack' an amount of data is sent to your UDP port from a spoofed IP. Your VPS then sends a significantly larger amount of data back to the actual IP. This way, malicious parties can abuse your UDP port to perform a (D)DoS attack on the spoofed IP address.
For this reason, it is not permitted that the NetBIOS service is publicly accessible on a VPS at TransIP.
Preventing NetBIOS abuse
Use the steps below, depending on your OS and firewall, to prevent abuse of the NetBIOS service.
- The VPS-Firewall in your control panel
Instead of using the firewall of your operating system, you can also use the VPS-Firewall in the control panel. By using the VPS-Firewall in the control panel, all ports are automatically closed and you decide then which ports are opened.
Step 1
Log in to your control panel and navigate to the relevant VPS.
Step 2
Click the cogwheel behind 'Network' (directly under the VPS console) and click 'VPS-Firewall'.
Step 3
Enable the firewall by setting the switch to 'On' behind 'Enable VPS-Firewall for this VPS'. The most commonly used ports are then automatically opened.
Your VPS is now secure! More information about opening ports with the VPS-Firewall can be found in our VPS-firewall documentation.
- Closing port 137 in Iptables
Stap 1
Connect to your VPS through SSH and close port 137 using the command:
sudo iptables -A INPUT -p tcp --dport 137 -j DROPsudo iptables -A INPUT -p udp --dport 137 -j DROP
Stap 2
Reload your firewall:
iptables-save | sudo tee /etc/sysconfig/iptablesservice iptables restart
- Closing port 137 in Firewalld (CentOS, Plesk, DirectAdmin, cPanel)
Step 1
Connect to your VPS through SSH and close port 137 using the commands (Plesk uses the zone pleskinstead of public):
sudo firewall-cmd --zone=public --remove-port=137/tcpsudo firewall-cmd --zone=public --remove-port=137/udp
Step 2
Reload your firewall to process the changes:
sudo firewall-cmd --reload
- Closing port 137 in UFW
Connect to your VPS through SSH and close port 137 using the command:
- Closing port 137 in FreeBSD
Add the following lines to /etc/ipfw.rules:
$cmd 00320 deny tcp from any to any 137 in via $pif$cmd 00320 deny tcp from any to any 137 in via $pif
- Disabling the NetBIOS service
NetBIOS uses various services. When you disable the NetBIOS service in Windows under 'Internet Protocol Version 4 (TCP / IPv4)' it will only disable the session service, and still allows for exploits of the NetBIOS service.
As such, don't soly disable the NetBIOS service, but block the port in the firewall, see below.
- Closing the NetBIOS port in Windows firewall
In addition to turning off the NetBIOS service, you can prevent misuse of the NetBIOS service by closing TCP & UDP port 137 in your Windows firewall. In that case, you do not have to also disable the NetBIOS service.
Step 1
Open Windows Firewall with Advanced Security and click 'Inbound'> 'New Rule'.
Step 2
Select 'Port' and click 'Next'.
Step 3
Select 'UDP' as the protocol and specify port number 137 specifically.
Step 4
You want to prevent abuse of the port, so select 'Block the connection' and click 'Next'.
Step 5
The safest option is to apply the blockade to Domain, Private and Public. Leave these options checked and click 'Next'.
Step 6
Give the rule a clearly recognizable name and click 'Finish'.
The UDP port used by the NetBIOS service is now blocked and third parties can no longer take advantage of it. Repeat these steps once more, but use TCP at step 3 instead of UDP.
In this article, we have shown how to prevent abuse of the NetBIOS service on your Windows VPS.
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.
If you want to discuss this article with other users, please leave a message under 'Comments'.
FAQs
How can you mitigate the risk? The most effective mitigation is to not use NetBIOS (Windows file and printer shares) at all, but many organizations rely on these services. The next best approach is to block NetBIOS traffic to/from the Internet, or limit its use to specific IP addresses, using firewall rules.
How do you mitigate NetBIOS vulnerability? ›
How can you mitigate the risk? The most effective mitigation is to not use NetBIOS (Windows file and printer shares) at all, but many organizations rely on these services. The next best approach is to block NetBIOS traffic to/from the Internet, or limit its use to specific IP addresses, using firewall rules.
Is NetBIOS a security risk? ›
If NetBIOS is enabled and open to the outside, attackers may try to reach shared directories and files. This also gives sensitive information to the attacker such as the computer name, domain, or workgroup. Solution: The recommended solution is to block it in your firewall (or even your router, using ACLs).
What is a NetBIOS attack? ›
In this attack, the attacker intercepts and relays NETBIOS authentication requests from one device to another, effectively impersonating the target device and gaining unauthorized access to its shared resources.
What ports should I block in NetBIOS? ›
Port 137 is utilized by NetBIOS Name service. Enabling NetBIOS services provide access to shared resources like files and printers not only to your network computers but also to anyone across the internet. Therefore it is advisable to block port 137 in the Firewall.
Which port numbers are most vulnerable to NetBIOS attacks? ›
These are the ports most targeted by attackers: Ports 137 and 139 (NetBIOS over TCP) and 445 (SMB) Port 22 (SSH) Port 53 (DNS)
Should I block NetBIOS? ›
There are many security concerns with NetBIOS; and disabling its support on your network and devices is strongly recommended. Disabling the use and support of NetBIOS can help to mitigate an attacker's ability to: poison and spoof responses, obtain a user's hashed credentials, inspect web traffic, etc.
How to determine if NetBIOS is being used? ›
How to check if NetBIOS is enabled. Run the command ipconfig /all and check the NetBIOS over Tcpip value.
Is NetBIOS needed anymore? ›
NetBIOS is legacy and you only need it if you are using old applications or old versions of Windows that require it or use WINS. If your running applications or OS's that require it still, NetBIOS is probably not the real problem here.
What happens if you block NetBIOS? ›
The computer can no longer function as a WINS server to service WINS clients over the connection unless you turn NetBT on again.
The NetBIOS Name Server (NBNS) protocol does not perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram, aka the "NetBIOS Name Server Protocol Spoofing" vulnerability.
How to clear NetBIOS? ›
Right-click Local Area Connection, and then click Properties. Select Internet Protocol Version 4 (TCP/IPv4), click Properties, and then click Advanced. Click the WINS tab, and in the NETBIOS setting section, click Disable NETBIOS over TCP/IP. Click OK to close the properties windows.
Is NetBIOS deprecated? ›
It's important to note that NetBIOS vulnerabilities primarily affect older versions of Windows (such as Windows XP, Windows Server 2003) that still have NetBIOS enabled by default. More recent Windows versions have deprecated or disabled NetBIOS by default due to its security concerns.
What ports should I block for security? ›
Common High-Risk Ports
| Port | Protocol | Recommended Action |
|---|
| 53 | TCP and UDP | Disable always. |
| 111 and 2049 | TCP | Disable always. |
| 135 | TCP and UDP | Disable always. |
| 137 | TCP and UDP | Disable always. |
28 more rowsApr 6, 2023
Port 139 is utilized by NetBIOS Session service. Enabling NetBIOS services provide access to shared resources like files and printers not only to your network computers but also to anyone across the internet. Therefore it is advisable to block port 139 in the Firewall.
Should I disable NetBIOS over TCP IP on domain controller? ›
NetBIOS over TCP/IP is not required for standard Windows networking function. You'd only need it if you are using legacy applications that require that API to function. Disable it, if you must, and re-enable it if you have problems with your apps. It will not “hurt” to leave it enabled.
What is NetBIOS name conflict vulnerability? ›
The NetBIOS Name Server (NBNS) protocol does not perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram, aka the "NetBIOS Name Server Protocol Spoofing" vulnerability.
What is NetBIOS in cyber security? ›
NetBIOS (Network Basic Input/Output System) is a network service that enables applications on different computers to communicate with each other across a local area network (LAN). It was developed in the 1980s for use on early, IBM-developed PC networks.
How to block any NetBIOS traffic at your network boundaries? ›
Right-click Local Area Connection, and then click Properties. Select Internet Protocol Version 4 (TCP/IPv4), click Properties, and then click Advanced. Click the WINS tab, and in the NETBIOS setting section, click Disable NETBIOS over TCP/IP. Click OK to close the properties windows.
How do I ensure NetBIOS is enabled? ›
Change Settings
- Press the Windows Key. Type ncpa. cpl. Press Enter.
- Right click the Network being used. Click Properties.
- Select Internet Protocol version 4 (TCP/IPv4). Click Properties.
- Click Advanced...
- Click WINS. Select Enable NetBIOS over TCP/IP. Click OK.
