Security Basics mailing list archives
Re: source LAN port 137 dest 169.x
From: "James Fields" <jvfields () tds net>
Date: Tue, 29 Jul 2003 19:20:18 -0400
If you could give the *actual* destination address, I could be certain, but it's probably the following. On Microsoft boxes which are configured to use DHCP for their network settings, *if* they broadcast for DHCP and fail to get the settings, they will "self-assign" an address. I believe the addresses used start with 169, and I believe if you use Sam Spade or some other tool to do an IP Block lookup you'll see a little more information about it. So why is it showing up as a destination? Once a Windows box comes up with such a bogus address, this still does not mean it is "dead" on the network. It dutifully goes about doing what Windows boxes do, which is a lot of NetBIOS broadcasting. The packets you see are probably boxes on your local network trying to respond to those broadcasts which were originally sourced from the 169 guy. Since you obviously don't use that actual network, your default routing in your network is likely carrying those responses out toward your Internet perimeter, and getting dropped at your firewall. And no, assuming I am right, I am not particularly wise about this - I've had the same experience and a lot of time to track it down :-) ----- Original Message ----- From: "Darren Gragg" <admin () bsbks com> To: <security-basics () securityfocus com> Sent: Tuesday, July 29, 2003 11:33 AM Subject: source LAN port 137 dest 169.x I am seeing some UDP packets showing up in my logs as being dropped that have a source of 172 my local subnet with a port of 137 and a destination of a 169.xxx.xxx.xxx address with a port of 137. what would that destination be telling me? Any ideas? Thanks very much in advance Darren Gragg Network Administrator --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- source LAN port 137 dest 169.x Darren Gragg (Jul 29)
- RE: source LAN port 137 dest 169.x Kurt (Jul 29)
- RE: source LAN port 137 dest 169.x David Gillett (Jul 30)
- Re: source LAN port 137 dest 169.x James Fields (Jul 30)
- Re: source LAN port 137 dest 169.x David Nichols (Jul 30)
- <Possible follow-ups>
- RE: source LAN port 137 dest 169.x Jason Armstrong (Jul 30)
- RE: source LAN port 137 dest 169.x stephen at unix dot za dot net (Jul 31)
- RE: source LAN port 137 dest 169.x David Gillett (Jul 31)
- RE: source LAN port 137 dest 169.x stephen at unix dot za dot net (Jul 31)
- RE: source LAN port 137 dest 169.x Potter, Tim (Jul 30)
- RE: source LAN port 137 dest 169.x Escue, Robert S CONT (NETS) (Jul 31)