Security Basics mailing list archives

RE: Strange Packet logs in ipchains

From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Wed, 26 Mar 2003 13:58:52 -0600

STFW

The 169.254.0.0/16 block is reserved for machines with unassigned addresses
and no access to dhcp/bootp.  The trailing digits are some mangle of the MAC
address, so that a small network can - peer-to-peer- set itself up without
collisions.

See RFC 3330 - http://www.rfc-editor.org/rfc/rfc3330.txt

   169.254.0.0/16 - This is the "link local" block.  It is allocated for
   communication between hosts on a single link.  Hosts obtain these
   addresses by auto-configuration, such as when a DHCP server may not
   be found.

Me thinks you have a machine or two that couldn't connect to the dhcp
server.  Once the link local address is assigned, of course, the user can't
connect to anything (since you're not routing them...) so they probably just
rebooted.

I've seen this happen when you boot up the machine and forget to connect the
cable to the network card, then do so after it's up.  Since the dhcp stuff
has timed out, the machine has a 169.254 address...

-----Burton

-----Original Message-----
From: Sam Dirk [mailto:samdirk () online ie]
Sent: Tuesday, March 25, 2003 4:42 AM
To: security-basics () securityfocus com
Subject: Strange Packet logs in ipchains




Hi All,

Yesterday I noticed the following entry in logs:

Packet log: input REJECT eth0 PROTO=17 169.254.208.158:137
169.254.255.255:137 L=96 S=0x00 I=3072 F=0x0
000 T=128 (#9)

This occured only on our internal (10.10.x.x address) network. The packets
were seen three times over the course of the day but lasted for only one -
two seconds so it was impossible to get a tcpdump.

In addition the source address was either 169.254.208.158 or
169.254.24.111. We don't use the above addresses on the network so am I

-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1



-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1

Current thread:

Strange Packet logs in ipchains Sam Dirk (Mar 26)
- Re: Strange Packet logs in ipchains Vic Parat (NSS) (Mar 27)
- Re: Strange Packet logs in ipchains Bear Giles (Mar 27)
- RE: Strange Packet logs in ipchains Burton M. Strauss III (Mar 27)
- <Possible follow-ups>
- Re: Strange Packet logs in ipchains Paris Stone (Mar 27)
- RE: Strange Packet logs in ipchains Mike Heitz (Mar 27)
- RE: Strange Packet logs in ipchains Gwydion Mine (Mar 28)