Re: UDP port 137 packets sent to 70.255.224.194 (and to other hosts/nets as well)

["Daniel S. Riley" <dsr () MAIL LNS CORNELL EDU>]

Pavel Lozhkin <pauel () BALAKOVO RU> writes:
> For last week i sent 4 or 5 complains about UDP scan (138 port). I have
> one answer from iana.org,they wrote: "It is legal traffic and do not
> worry about it and contact to your ISP for more information".It was 2
> day to go.Today i sent him a next complain about new scan....
>
> In first: I am the  ISP myself ;)
> In second: This traffic just has been directed not to one host,in the
> log i saw this:
>
> Aug-30-01:37:02 UDP from 169.254.100.72:137 to XXX.XX.XXX.16:137
> Aug-30-01:37:06 UDP from 169.254.100.72:137 to XXX.XXX.XXX.17:137

169.254.0.0/16 is reserved for auto-configuration of local addresses
in networks where no DHCP server is found[1].  That block is not (or
at least should not) be routed over the internet backbones[2].  Any
traffic from 169.254.0.0/16 is either from your local network, or
forged--and either way, complaining to IANA or ISI is a waste of their
time.

[1] http://search.ietf.org/internet-drafts/draft-manning-dsua-03.txt

[2] Try a traceroute--you should run into a no-route in a short number
of hops:

% traceroute 169.254.100.72
traceroute to 169.254.100.72 (169.254.100.72), 30 hops max, 40 byte packets
 1  lnsfw (128.84.44.1)  3 ms  3 ms  3 ms
 2  ccc1-8540-vl669.cit.cornell.edu (128.253.147.4)  9 ms  14 ms  10 ms
 3  cornellnet4-gig1-0-0.cit.cornell.edu (128.253.222.162)  6 ms !H  5 ms !H  9 ms !H

--
Dan Riley                                         dsr () mail lns cornell edu
Wilson Lab, Cornell University      <URL:http://www.lns.cornell.edu/~dsr/>
    "History teaches us that days like this are best spent in bed"