After the preliminary study of denial-of-service (DoS) cyberattacks, together with some of their variants exposed in the article “DrDoS: characteristics and functioning“, this new article will address how the NetBIOS protocol is used as a tool to develop a DoS cyberattack in its Reflected Denial-of-Service (DrDoS) variant.
NetBIOS (Network Basic Input/Output System) is a non-routable protocol developed from IBM PC Network LAN technology and based on network protocols for wired communications. It operates at layer 5 of the OSI model and allows communication between local applications on connected computers within a local area network (LAN) to establish sessions to access shared resources.
NetBIOS currently runs over TCP/IP, providing each computer on the network with an IP address and a NetBIOS name corresponding to its host. It is widely used due to the spread of Microsoft’s operating systems. The three services it provides are:
Illustration 1. NetBIOS architecture diagram
- Name Service (NetBIOS-NS): for NetBIOS name resolution and registration.
- Datagram Distribution Service (NetBIOS-DGM): to facilitate connectionless communication.
- Session Service (NetBIOS-SSN): to provide connection-oriented communication.
Therefore, in the event of this service failing, computer-to-computer communication would not be possible, nor would it be possible to access to them or the network, or to access shared resources.
The vulnerabilities that make this type of attack possible are associated with its naming service.
The way cybercriminals develop a NetBIOS-based DrDoS attack starts with a high number of queries launched by cybercriminals to the victim’s host, leading to an increase in network traffic. These queries have the source IP replaced by the victim’s IP (spoofing), thus making them legitimate and mirroring the attack.
The victim then responds to the queries with the fake address, causing network saturation and consequent downtime, due to the amplification of the size of the response packets compared to the query packets. The amplification can reach a 2.5 to 3.8-foldincrease. Some attacks have attained traffic rates in the order of 100 Gbps.
Illustration 2. Schematic diagram of NetBIOS attack
Any server with a public NetBIOS service on the Internet will be vulnerable to a DrDoS attack. To find out if a server has an exposed NetBIOS service, we can use the following nmap command:
nmap -sU --script nbstat.nse -p137 [Server IP address]
If the command returns a list of devices, the server is vulnerable.
Some measures that can be used to prevent the NetBIOS service from being used to develop DrDoS attacks against third parties are:
- Update the software. This prevents equipment with obsolete protocols from connecting via this medium.
- Disable or filter UDP. Disabling the UDP port or filtering its traffic through a firewall will make it possible to control the data flow provided by the NetBIOS service.
It is important to assess whether it is necessary to expose the service, and if so, to review its publication requirements and always reinforce its bastioning.
Detection and evidence
As mentioned above, only the NetBIOS name service, which works by default on port 137, has suffered denial-of-service attacks.
Organisation do not commonly expose this service on the Internet. However, it is common for routers or switches used by home users, honeypots or surveillance services to be vulnerable, since they lack additional security settings for the NetBIOS service. This makes them ideal candidates to form a botnet and unwittingly to participate in a DrDoS attack.
The nbtstat command is useful for detecting whether the service is behaving abnormally and for finding evidence of a possible attack, , since it displays NetBIOS protocol statistics. These statistics detail both local and remote NetBIOS names and cache data for these names. Further details on the use of this command and its parameters are provided in the following guide.
Response and recommendations
If it is confirmed that your own equipment, operating with NetBIOS, is under DrDoS attack, you must act in accordance with the pre-defined incident management and action protocol for this type of attack, and do so quickly. This protocol must include the following actions:
- Collecting data. Collect as much information as possible about the incident, identifying source and destination IP addresses, ports and the NetBIOS name assigned to each computer.
- Block and filter unwanted traffic. Filtering rules should be set up on firewalls and routers, based on the information gathered above, to block incoming requests to NetBIOS hosts. Contacting hosting and Internet service providers is also key to getting them to apply additional filters to limit unauthorised traffic.
- Contact INCIBE-CERT. INCIBE-CERT will provide assistance to take measures to mitigate and recover from such attacks.
Once the attack has been stopped and it has been confirmed that the system has been restored to normal operation, it is important to further analyse and identify the cause of the problem. Furthermore, regardless of the impact of the attack, the incident should be reported to the authorities, as with any other electronic or online crime, so that it can be investigated and prosecuted.