NetBIOS scan on connection startup

[felixonmars]

Environment

• Android version: 6.0.1 H2OS V2.0.0
• Device: ONEPLUS A3000
• Shadowsocks version: 3.3.1

Configuration

Put an x inside the [ ] that applies.

• [x] IPv4 server address
• [ ] IPv6 server address
• [x] Client IPv4 availability
• [ ] Client IPv6 availability
• Local port: 1080
• Encrypt method: aes-256-cfb
• [ ] One-time authentication
• Route
  • [ ] All
  • [ ] Bypass LAN
  • [ ] Bypass China
  • [x] Bypass LAN & China
  • [ ] GFW List
  • [ ] China List
• [ ] IPv6 route
• [x] Per-App Proxy
  • [ ] Bypass mode
• [ ] UDP Forwarding
• KCP Parameters: (leave blank if not enabled)
• [ ] Auto Connect
• [ ] TCP Fast Open
• [ ] NAT mode

What did you do?

Click to start connection.

What did you see instead?

One or more random /24 subnet(s) inside 10.0.0.0/8 was scanned at UDP port 137 (NetBIOS). See attached screenshots for more details:

This is considered malicious activity by my server ISP:

[madeye]

In your settings, you didn't enable UDP forwarding. Also, the route is set to bypass LAN address. So, I don't think it's related to shadowsocks-android.

My suggestion is double checking your server, make sure no malicious software installed.

[felixonmars]

The screenshot was on my local subnet, and the timing of the netbios requests is highly consistent with shadowsocks-android's startup. I didn't enable UDP forwarding and set route to bypass LAN, so these requests were "leaked" to my local subnet, which is then captured.

Besides the netbios requests, there are also connections to 26.26.26.x, which is present in shadowsocks-android's source code. Since these addresses should be bound to a tun2socks interface, the leaking of the requests indicates some race conditions in place, IMHO.

[madeye]

Shadowsocks didn't and won't do the scanning. However, some apps would do it. For example, if you have installed any video play, file sharing or download manager apps on your Android device, they could perform port scanning like NetBIOS scanning for service discovery, e.g. scanning service of Samba/CIFS or DLNA.

When shadowsocks is connected, a new subnetwork 26.26.26.0/24 is also created. Then, a network changing broadcast will be sent to all the receivers on your Android OS. The app performing the NetBIOS scanning also received the broadcast and tries to scan services again on your private network (10.0.0.0/8 and 26.26.26.0/24), which actually causes the logs you saw.

So, if you want to keep using these apps, just make sure "bypass LAN" is enabled.

[felixonmars]

I see, thanks for the detailed info. I will try harder to find the real source then. Sorry for the trouble, and happy new year!