Re: UDP echo packets from 1 dec until present

[Sean Brown <srbrown () APPGEO COM>]

These are Automatic private IP Addresses.  The Class C 169.254.x.x
address space is set aside by IANA for private networks.  These
addresses result from a "feature" in Windows that automatically assigns
an IP address if a DHCP server is not found on the network.  I would
suspect that you've got a new Windows 98/ME machine on your network that
does not have TCP/IP configured correctly.

Sean

Jose Nazario wrote:
> hi all,
>
> i've been receiving a handful of UDP echo packets on an email server since
> december 1, consistently from the same IP address. so far it hasn't caused
> any performance problems (ie no floods), and they're being blocked. i'm at
> a loss, though, to figure out why this trickle of packets would be found.
> it does't make sense from a Firewalk point of view, as most sites block
> echo (both tcp and udp) on their borders. it doesn't make sense from the
> standpoint of detecting hosts, either, for that very reason. and the
> trickle seems like a very poorly done DDoS, which seems to rule that out
> (unless we assume super stupid attackers).
>
> any input would be welcome. these are the only connections i have from
> that IP (from xinetd logs):
>
> 00/12/1@10:44:08: FAIL: echo-dgram address from=169.254.97.28
<snip>
> ____________________________
> jose nazario                                                 jose () cwru edu
>                      PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
>                                        PGP key ID 0xFD37F4E5 (pgp.mit.edu)

--
~~~~~~~~~~~~~~~
Sean R. Brown - srbrown () appgeo com
System Administrator   Applied Geographics, Inc.   Boston, MA