Security Incidents mailing list archives
Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)
From: woods () MOST WEIRD COM (Greg A. Woods)
Date: Wed, 29 Mar 2000 15:55:22 -0500
[ On Wednesday, March 29, 2000 at 11:09:31 (+0200), Pavel Kankovsky wrote: ]
Subject: Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) On Sat, 25 Mar 2000, Jeffrey D. Carter wrote:There is one other anomoly in the data below: 4 of the probe clumps include an interleaved series of a remote address and an address in the 169.254.0.0 netblock....169.254.0.0/16 is the netblock of choice for another silly Windows feature called "IP autoconfiguration". Windows pick up a more or less random address from this range and start using it if they fail to get an IP address by DHCP...or when they have a bad day or something.
That's not a "silly MS-Win" feature -- it's a silly, or maybe even downright stupid and possibly dangerous, feature shared by many DHCP client implementations, including Mac OS system 8.5 and higher. :-) It's also called the "LINKLOCAL" network, but so far as I know it's not yet standardised by the IETF. It should of course be aggressively filtered at all network borders and anywhere else such filtering is possible (just as all RFC-1918 addresses MUST be aggressively filtered). Various documents also advise that NATs NOT be set up to translate it. The best overview of this I've found so far is: http://www.performancecomputing.com/columns/daemons/9907.shtml The current (as of 2000/03/02) draft reference is: http://www.ietf.org/internet-drafts/draft-ietf-dhc-ipv4-autoconfig-05.txt Internet Assigned Numbers Authority (IANA) (NETBLK-LINKLOCAL) For use with Link Local Networks Information Sciences Institute University of Southern California 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292-6695 Netname: LINKLOCAL Netblock: 169.254.0.0 - 169.254.255.255 Coordinator: Internet Assigned Numbers Authority (IANA-ARIN) iana () IANA ORG (310) 823-9358 Fax- (310) 823-8649 Domain System inverse mapping provided by: BLACKHOLE.ISI.EDU 128.9.64.26 -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: lots of interest in port 109 (POP2), (continued)
- Re: lots of interest in port 109 (POP2) drkn (Mar 14)
- Syn and Fin in different packets together Stuart Staniford-Chen (Mar 21)
- Re: Syn and Fin in different packets together Simple Nomad (Mar 22)
- Re: Syn and Fin in different packets together Granquist, Lamont (Mar 24)
- Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity Jeffrey D. Carter (Mar 25)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Bryan Andersen (Mar 28)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Christoph Schneeberger (Mar 29)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity Bill Pennington (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Pavel Kankovsky (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Joshua Krage (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Greg A. Woods (Mar 29)
- Re: 169.254.x.x Robert Graham (Mar 29)
- Re: 169.254.x.x Pavel Kankovsky (Mar 30)
- Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael Damm (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Robert Graham (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael H. Warfield (Mar 30)
- Re: Cracked by the Brazilians Omachonu Ogali (Mar 30)
- Re: Cracked by the Brazilians Blaise St-Laurent (Mar 30)