Security Incidents mailing list archives
Re: UDP echo packets from 1 dec until present
From: "Robert G. Ferrell" <root () rgfsparc cr usgs gov>
Date: Fri, 8 Dec 2000 12:49:27 -0600
i've been receiving a handful of UDP echo packets on an email server since december 1, consistently from the same IP address 00/12/1@10:44:08: FAIL: echo-dgram address from=169.254.97.28
The 169.254 block is reserved for Link Local use. I'm not sure if this is relevant to your problem, but look at this excerpt from RFC 2491 (IPv6 over NBMA Networks): Any Redirect message sent by a router MUST conform to all the rules described in [7] so that the packet is properly validated by the receiving host. Specifically, if the target of the resulting short-cut is the destination host then the ICMP Target Address MUST be the same as the ICMP Destination Address in the original message. If the target of the short-cut is an egress router then the ICMP Target Address MUST be a Link Local address of the egress router that is unique to the NBMA cloud to which the router's NBMA interface is attached. Could be a config error inside your metwork? Just a thought. It doesn't make a lot of sense as an information-gathering tool. Cheers, RGF Robert G. Ferrell, CISSP Information Systems Security Officer National Business Center U. S. Dept. of the Interior Robert_G_Ferrell () nbc gov ======================================== Who goeth without humor goeth unarmed. ========================================
Current thread:
- UDP echo packets from 1 dec until present Jose Nazario (Dec 09)
- Re: UDP echo packets from 1 dec until present Crist Clark (Dec 11)
- Re: UDP echo packets from 1 dec until present Sean Brown (Dec 11)
- <Possible follow-ups>
- Re: UDP echo packets from 1 dec until present Robert G. Ferrell (Dec 11)