locked
ATA Gateway Server hitting servers over port 135 RRS feed

  • Question

  • We recently installed ATA and got it up and running without any issues. We let it run for about a week and then we got a phone call from a server admin asking why our gateway server was constantly pinging his server over port 135 (pretty much every 5 to 10 seconds). The server happened to be an appliance with a Linux kernel so the traffic was getting blocked and was filling up the logs. We decided to shut down the ATA service on the gateway server until we figured out why this was happening.  I tried looking for an answer but the only thing I could find was the following reference under the gateway requirements page:

    As part of the resolution process done by the ATA Gateway, the following ports need to be open inbound on devices on the network from the ATA Gateways.

    • NTLM over RPC (TCP Port 135)
    • NetBIOS (UDP port 137)

    What I don't understand is, 1) what exactly is this doing on these ports? 2) why is it needed? 3) why would the gateway be scanning a non-windows machine that has no reference in Active Directory?

    I found a spot under Configuration > Detection > Exclusions > DNS Reconnaissance IP Address Exclusions that looks to be where I would need to add my IP exclusions but I'm not 100% sure.  Nothing on Microsoft's website really explains what this is.

    Wednesday, January 4, 2017 9:44 PM

Answers

  • Hello, 

    DNS Reconnaissance IP Address is one type of threat detection, and it should not be related with the NTLM over RPC and NetBIOS.

    To block the traffic to Linux on port 135 and port 137, I recommend to set a firewall rule on the Windows system, on which the ATA Gateway is deployed. 


    Regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Buck2016 Thursday, January 5, 2017 1:27 PM
    Thursday, January 5, 2017 10:26 AM

All replies

  • Hello, 

    DNS Reconnaissance IP Address is one type of threat detection, and it should not be related with the NTLM over RPC and NetBIOS.

    To block the traffic to Linux on port 135 and port 137, I recommend to set a firewall rule on the Windows system, on which the ATA Gateway is deployed. 


    Regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Buck2016 Thursday, January 5, 2017 1:27 PM
    Thursday, January 5, 2017 10:26 AM
  • Thanks for the quick response. This was helpful! Could you also explain briefly what this traffic (NTLM over RPC and NetBIOS) is doing and why it's needed?  I want to be able to provide answers to my peers when they start asking why our ATA Gateway server is hitting their servers.  At this point, all I have is "it just needs to hit your servers for it to do its thing".

    Thanks!
    Tyler

    Thursday, January 5, 2017 1:33 PM
  • Hello,

    Sorry for the delayed response.

    NTLM over RPC is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.

    NetBIOS with TCP/137 is used to map a computer name to an IP address, the Windows system can use NetBIOS to discover the computer on the network, and resolve the computer name to IP address.

    Both of the two protocols are included in the Windows system by default.

    Regards,
    Andy Liu 



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 9, 2017 9:29 AM
  • Hello Buck2016,

    This is active name resolution process for the ATA Gateway. The ATA Gateway will try to resolve the IP address it sees in the network traffic to the name of the computer sending or receiving the traffic. It gives ATA highest propability by either communicating over RPC or NTLM call to the IP address. All ports required for the ATA Gateway are provided here in detail: https://docs.microsoft.com/en-us/advanced-threat-analytics/plan-design/ata-prerequisites#ata-gateway-requirements

    best regards

    Tomasz Gosciminski, Predica

    Tuesday, January 17, 2017 8:58 AM