Snort mailing list archives
Re: Strange portscan traffic with dest of 169.254.x.x
From: CunningPike <cunningpike () gmail com>
Date: Mon, 25 Feb 2008 13:33:02 -0800
Directly from RFC3330: "169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found." Why would a netblock that's not part of your internal network NOT get routed to your external firewall/router? Whether your router actually passes that traffic is another matter. CP Aaron Giuoco wrote:
For the past couple of days, I have been seeing some very strange portscan traffic coming from internal addresses and going to the internet. The Snort box I have been getting these alerts on is sitting just behind our Internet firewall. I have attached a screenshot of the alert. It's odd for a couple reasons. First, why is 169.254 traffic even getting routed to our external firewall. This is probably something I need to discuss with our network admin. That just seems weird to me. Second, if I am reading the alert correctly, it looks like the computer is scanning itself for NetBIOS and SMB ports. I was just wondering if anyone else has seen anything like this. AG ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ------------------------------------------------------------------------ ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Paul Melson (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x CunningPike (Feb 25)
- <Possible follow-ups>
- Re: Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x dhottinger (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Joel Esler (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x dhottinger (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 26)