RE: source LAN port 137 dest 169.x

["David Gillett" <gillettdavid () fhda edu>]

  I would bet that you have one or more (Windows) machines on 
your local network that are failing to get a response from a 
DHCP server when they need one.  When that happens, they assign
themselves a random address in the 169.254.x.x/16 block.
  They then proceed to advertise their presence via NetBIOS,
with a broadcast to UDP port 137.  Other Windows machines see
the broadcast, and attempt to respond to it.
  Having determined that the source address is not supposed to
be on the local 172.x.x.x subnet, these responding hosts are
directing their responses by way of the gateway address.  They'll
be dropped at the point where something recognizes that 169.254.x.x
is a bogon and not a routable destination.

David Gillett
  

> -----Original Message-----
> From: Darren Gragg [mailto:admin () bsbks com]
> Sent: July 29, 2003 08:33
> To: security-basics () securityfocus com
> Subject: source LAN port 137 dest 169.x
>
>
> I am seeing some UDP packets showing up in my logs as being 
> dropped that
> have a source of 172 my local subnet with a port of 137 and a 
> destination of
> a 169.xxx.xxx.xxx address with a port of 137.  what would 
> that destination
> be telling me?  Any ideas?  Thanks very much in advance
>
> Darren Gragg
> Network Administrator
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------