Security Incidents mailing list archives
Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)
From: jkrage () BUSER NET (Joshua Krage)
Date: Wed, 29 Mar 2000 13:51:26 -0500
On Wed, Mar 29, 2000 at 11:09:31AM +0200, Pavel Kankovsky wrote:
169.254.0.0/16 is the netblock of choice for another silly Windows feature called "IP autoconfiguration". Windows pick up a more or less random address from this range and start using it if they fail to get an IP address by DHCP...or when they have a bad day or something.
The 169.254.0.0/16 usage is documented in a proposed RFC. The draft, last updated 2000/03/02, is available at the following URL: <http://www.ietf.org/internet-drafts/draft-ietf-dhc-ipv4-autoconfig-05.txt> It includes a discussion of the two current implementations of this (MS Win98+ and MacOS 8.5+). Supposedly NT5 also supports it. Also note that RFC 2563 defines a DHCP option to instruct clients that are capable of auto-configuration not to do so. The URL for the RFC is: <ftp://ftp.isi.edu/in-notes/rfc2563.txt> In normal circumstances, it shouldn't be possible for an auto-configured host to send a packet out on the Internet, as it lacks a valid gateway. Of course, its possible for someone to create (accidently or otherwise) a situation where such packets get forwarded. Once they hit a router, they'll continue to get forwarded to their destination. Unless of course a filter or firewall blocks it. And people /should/ be filtering some of this stuff. SANS has just released their Distributed DOS Action Plan Steps 1 & 2. Step 1 asks every network to perform egress filtering to prevent spoofed packets (which should also block 169.254.0.0/16 from escaping as well). I favor doing this on ingress as well, just in case anyone attempts to DOS me from 'bad' source addresses. <http://www.sans.org/dosstep/index.htm> Enjoy!
Current thread:
- Re: lots of interest in port 109 (POP2), (continued)
- Re: lots of interest in port 109 (POP2) Juan M. Courcoul (Mar 08)
- Re: lots of interest in port 109 (POP2) drkn (Mar 14)
- Syn and Fin in different packets together Stuart Staniford-Chen (Mar 21)
- Re: Syn and Fin in different packets together Simple Nomad (Mar 22)
- Re: Syn and Fin in different packets together Granquist, Lamont (Mar 24)
- Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity Jeffrey D. Carter (Mar 25)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Bryan Andersen (Mar 28)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Christoph Schneeberger (Mar 29)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity Bill Pennington (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Pavel Kankovsky (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Joshua Krage (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Greg A. Woods (Mar 29)
- Re: 169.254.x.x Robert Graham (Mar 29)
- Re: 169.254.x.x Pavel Kankovsky (Mar 30)
- Re: lots of interest in port 109 (POP2) Juan M. Courcoul (Mar 08)
- Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael Damm (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Robert Graham (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael H. Warfield (Mar 30)
- Re: Cracked by the Brazilians Omachonu Ogali (Mar 30)