Re: UDP echo packets from 1 dec until present

[Crist Clark <crist.clark () GLOBALSTAR COM>]

Jose Nazario wrote:
> hi all,
>
> i've been receiving a handful of UDP echo packets on an email server since
> december 1, consistently from the same IP address. so far it hasn't caused
> any performance problems (ie no floods), and they're being blocked. i'm at
> a loss, though, to figure out why this trickle of packets would be found.
> it does't make sense from a Firewalk point of view, as most sites block
> echo (both tcp and udp) on their borders. it doesn't make sense from the
> standpoint of detecting hosts, either, for that very reason. and the
> trickle seems like a very poorly done DDoS, which seems to rule that out
> (unless we assume super stupid attackers).
>
> any input would be welcome. these are the only connections i have from
> that IP (from xinetd logs):
>
> 00/12/1@10:44:08: FAIL: echo-dgram address from=169.254.97.28
                                                  ^^^^^^^^^^^^^
You do realize this is an unregistered address in the LINKLOCAL netblock,
right? That is, this stuff is not routed on the backbone. If not spoofed,
that traffic is coming from someplace "near by" in network terms. These
days, the most common source of LINKLOCAL-net packets are misconfigured
Win2k boxes. If they can't find an address by other means for a logical
interface, they pull a LINKLOCAL number from who-knows-where. Then when
they start to chatter away, like Winboxes are prone to do, and you start
to see traffic on your net with strange source addresses.

So, have any new Windows machines on your net? Not sure why one would
be generating this traffic, tho'.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926