Security Incidents mailing list archives

Re: Resolution on source IP address 169.254.* source addresses

From: ben () ION AS UTEXAS EDU (Ben Laws)
Date: Thu, 13 Apr 2000 19:17:42 -0500


"Jeffrey D. Carter" wrote:


My message a couple of weeks ago about Port 137 scanning activity had a
related oddity in the traces: several of the scans, rather than simply
being a sequence of 3 packets from a single source, appearred to be
interleaved series of packets from 2 sources, one of the a
169.254.* address.


Thanks for your followup, I was curious... I've been
seeing similar activity here.  The difference is
this activity hits a number of hosts on our subnet
rather than a single host.  I usually see a couple
scans of this type daily, many times from @home nets
and their ilk.  About half the time, 169.254.x.x and
other reserved addresses are intermixed as in this
example.

Apr 12 03:20:10 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.99:137
Apr 12 03:20:10 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.99:137
Apr 12 03:20:10 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.99:137
Apr 12 03:20:12 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.99:137
Apr 12 03:20:12 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.99:137
Apr 12 03:21:17 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.104:137
Apr 12 03:21:18 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.104:137
Apr 12 03:21:18 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.104:137
Apr 12 03:21:20 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.104:137
Apr 12 03:21:20 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.104:137
Apr 12 03:23:02 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.112:137
Apr 12 03:23:44 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.115:137
Apr 12 03:26:03 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.122:137
Apr 12 03:27:15 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.124:137
Apr 12 03:27:16 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.124:137
Apr 12 03:27:16 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.124:137
Apr 12 03:27:18 host snort: SMB Name Wildcard:
169.254.222.20:137 -> x.x.x.124:137
Apr 12 03:27:18 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.124:137
Apr 12 03:27:40 host snort: SMB Name Wildcard:
209.112.188.221:137 -> x.x.x.126:137

b

Current thread:

Resolution on source IP address 169.254.* source addresses Jeffrey D. Carter (Apr 08)
- Re: Resolution on source IP address 169.254.* source addresses Ben Laws (Apr 13)