My firewall is detecting hacker attacks called netBIOS Browsing, ping attack and cloaking all the time. What does this mean? Is it dangerous? How do I stop this? Can I somehow put the hackers who are doing this behind bars?
Thank you for taking the time to pose your questions. NetBIOS (port 139) and Server Message Block (port 445 - used if port 139 is disabled) are used for file sharing and provide information about your servers and sessions. These ports (along with ICMP/Ping) should be blocked in your border router, firewall, and disabled on servers with valid IP addresses that are accessible from the Internet.
Add a new rule in your router and firewall to drop any packets from the offending IP addresses (or network) scanning your network. Next, do a trace route (tracert) on these IP addresses and notify the ISP where the attacks are originating from -- chances are the ISP may have been hacked and they don't know it.
As for the severity of the attempts, carefully consider the following:
- Review your firewall logs as far back as you can and observe "accepted" connections and follow through.
- Review your server logs for security compromise and enable auditing, if not already done.
- Make a backup of your firewall logs and keep a printed copy available for quick reference.
- Check your firewall settings and make sure it's properly configured (e.g., to prevent anti-spoofing).
- Update your firewall and servers with the latest "tested" service packs and security hotfixes.
- Visit http://www.cybercrime.gov/reporting.htm to learn if you are the victim of a computer crime and take the appropriate course of action.
- Define alarms and configure your router, firewall, and servers to notify you immediately
- Closely monitor your router, firewall, and server logs moving forward.
- Read up on script kiddies.