Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: UDP 1434 - worm spoofing or not?

From: "Gianluca Marcari" <gmarcari () tiscalinet it>
Date: Sat, 25 Jan 2003 21:50:32 +0100
From: "Glenn Forbes Fleming Larratt" <glratt () rice edu>


 Hold on a second here.

 According to the specification for DHCP (I think - can anyone
 quote chapter and verse, and/or RFC?), 169.254.0.0/16 is reserved
 for DHCP clients that don't get a lease.


I agree. That's APIPA (Automatic Private IP Addressing) kicking in: it gives
you an address in that range when it is configured for DHCP but cannot find
a DHCP server.


 Is it possible that this is not deliberate spoofing per se,
 but a DHCP-enabled  infected machine that someone plugged into
 your non-DHCP network? Since the traffic is UDP, it wouldn't
 necessarily matter that it's spoofed for the purposes of worm
 propagation.


I would agree except for one single thing: if the client didn't find a DHCP
server, and had to revert to APIPA, how did it find the router's address, to
send packets out onto the 'net? :-)


 Has everybody got their egress filtering working ? :)


I didn't even try to touch the Snort rulebase - just added a quick'n dirty
"deny udp any any eq 1434" on my border router's ACL



Glenn Forbes Fleming Larratt
Rice University Network Management
glratt () rice edu


Ciao
Gianluca Marcari



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: