Security Incidents mailing list archives
Re: UDP echo packets from 1 dec until present
From: Sean Brown <srbrown () APPGEO COM>
Date: Fri, 8 Dec 2000 09:15:28 -0500
These are Automatic private IP Addresses. The Class C 169.254.x.x address space is set aside by IANA for private networks. These addresses result from a "feature" in Windows that automatically assigns an IP address if a DHCP server is not found on the network. I would suspect that you've got a new Windows 98/ME machine on your network that does not have TCP/IP configured correctly. Sean Jose Nazario wrote:
hi all, i've been receiving a handful of UDP echo packets on an email server since december 1, consistently from the same IP address. so far it hasn't caused any performance problems (ie no floods), and they're being blocked. i'm at a loss, though, to figure out why this trickle of packets would be found. it does't make sense from a Firewalk point of view, as most sites block echo (both tcp and udp) on their borders. it doesn't make sense from the standpoint of detecting hosts, either, for that very reason. and the trickle seems like a very poorly done DDoS, which seems to rule that out (unless we assume super stupid attackers). any input would be welcome. these are the only connections i have from that IP (from xinetd logs): 00/12/1@10:44:08: FAIL: echo-dgram address from=169.254.97.28
<snip>
____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
-- ~~~~~~~~~~~~~~~ Sean R. Brown - srbrown () appgeo com System Administrator Applied Geographics, Inc. Boston, MA
Current thread:
- UDP echo packets from 1 dec until present Jose Nazario (Dec 09)
- Re: UDP echo packets from 1 dec until present Crist Clark (Dec 11)
- Re: UDP echo packets from 1 dec until present Sean Brown (Dec 11)
- <Possible follow-ups>
- Re: UDP echo packets from 1 dec until present Robert G. Ferrell (Dec 11)