Security Basics mailing list archives
RE: Strange Packet logs in ipchains
From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Wed, 26 Mar 2003 13:58:52 -0600
STFW The 169.254.0.0/16 block is reserved for machines with unassigned addresses and no access to dhcp/bootp. The trailing digits are some mangle of the MAC address, so that a small network can - peer-to-peer- set itself up without collisions. See RFC 3330 - http://www.rfc-editor.org/rfc/rfc3330.txt 169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found. Me thinks you have a machine or two that couldn't connect to the dhcp server. Once the link local address is assigned, of course, the user can't connect to anything (since you're not routing them...) so they probably just rebooted. I've seen this happen when you boot up the machine and forget to connect the cable to the network card, then do so after it's up. Since the dhcp stuff has timed out, the machine has a 169.254 address... -----Burton -----Original Message----- From: Sam Dirk [mailto:samdirk () online ie] Sent: Tuesday, March 25, 2003 4:42 AM To: security-basics () securityfocus com Subject: Strange Packet logs in ipchains Hi All, Yesterday I noticed the following entry in logs: Packet log: input REJECT eth0 PROTO=17 169.254.208.158:137 169.254.255.255:137 L=96 S=0x00 I=3072 F=0x0 000 T=128 (#9) This occured only on our internal (10.10.x.x address) network. The packets were seen three times over the course of the day but lasted for only one - two seconds so it was impossible to get a tcpdump. In addition the source address was either 169.254.208.158 or 169.254.24.111. We don't use the above addresses on the network so am I ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfsbl1 ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfsbl1
Current thread:
- Strange Packet logs in ipchains Sam Dirk (Mar 26)
- Re: Strange Packet logs in ipchains Vic Parat (NSS) (Mar 27)
- Re: Strange Packet logs in ipchains Bear Giles (Mar 27)
- RE: Strange Packet logs in ipchains Burton M. Strauss III (Mar 27)
- <Possible follow-ups>
- Re: Strange Packet logs in ipchains Paris Stone (Mar 27)
- RE: Strange Packet logs in ipchains Mike Heitz (Mar 27)
- RE: Strange Packet logs in ipchains Gwydion Mine (Mar 28)