Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)

From: jkrage () BUSER NET (Joshua Krage)
Date: Wed, 29 Mar 2000 13:51:26 -0500

On Wed, Mar 29, 2000 at 11:09:31AM +0200, Pavel Kankovsky wrote:

169.254.0.0/16 is the netblock of choice for another silly Windows feature
called "IP autoconfiguration". Windows pick up a more or less random
address from this range and start using it if they fail to get an
IP address by DHCP...or when they have a bad day or something.


The 169.254.0.0/16 usage is documented in a proposed RFC.  The draft,
last updated 2000/03/02, is available at the following URL:

    <http://www.ietf.org/internet-drafts/draft-ietf-dhc-ipv4-autoconfig-05.txt>

It includes a discussion of the two current implementations of this
(MS Win98+ and MacOS 8.5+).  Supposedly NT5 also supports it.

Also note that RFC 2563 defines a DHCP option to instruct clients that
are capable of auto-configuration not to do so.  The URL for the RFC is:

    <ftp://ftp.isi.edu/in-notes/rfc2563.txt>

In normal circumstances, it shouldn't be possible for an auto-configured
host to send a packet out on the Internet, as it lacks a valid gateway.

Of course, its possible for someone to create (accidently or otherwise)
a situation where such packets get forwarded.  Once they hit a router,
they'll continue to get forwarded to their destination.  Unless of course
a filter or firewall blocks it.  And people /should/ be filtering some
of this stuff.

SANS has just released their Distributed DOS Action Plan Steps 1 & 2.
Step 1 asks every network to perform egress filtering to prevent
spoofed packets (which should also block 169.254.0.0/16 from escaping
as well).  I favor doing this on ingress as well, just in case anyone
attempts to DOS me from 'bad' source addresses.

   <http://www.sans.org/dosstep/index.htm>

Enjoy!
Previous By Date Next
Previous By Thread Next

Current thread: