Snort mailing list archives
Re: Strange portscan traffic with dest of 169.254.x.x
From: CunningPike <cunningpike () gmail com>
Date: Mon, 25 Feb 2008 13:33:02 -0800
Directly from RFC3330:
"169.254.0.0/16 - This is the "link local" block. It is allocated for
communication between hosts on a single link. Hosts obtain these
addresses by auto-configuration, such as when a DHCP server may not
be found."
Why would a netblock that's not part of your internal network NOT get
routed to your external firewall/router? Whether your router actually
passes that traffic is another matter.
CP
Aaron Giuoco wrote:
For the past couple of days, I have been seeing some very strange portscan traffic coming from internal addresses and
going to the internet. The Snort box I have been getting these alerts on is sitting just behind our Internet
firewall. I have attached a screenshot of the alert.
It's odd for a couple reasons. First, why is 169.254 traffic even getting routed to our external firewall. This is
probably something I need to discuss with our network admin. That just seems weird to me. Second, if I am reading
the alert correctly, it looks like the computer is scanning itself for NetBIOS and SMB ports. I was just wondering
if anyone else has seen anything like this.
AG
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
------------------------------------------------------------------------
------------------------------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Paul Melson (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x CunningPike (Feb 25)
- <Possible follow-ups>
- Re: Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x dhottinger (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Joel Esler (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x dhottinger (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 26)