Security Incidents mailing list archives

Re: UDP echo packets from 1 dec until present

From: "Robert G. Ferrell" <root () rgfsparc cr usgs gov>
Date: Fri, 8 Dec 2000 12:49:27 -0600

i've been receiving a handful of UDP echo packets on an email server since
december 1, consistently from the same IP address
00/12/1@10:44:08: FAIL: echo-dgram address from=169.254.97.28


The 169.254 block is reserved for Link Local use.

I'm not sure if this is relevant to your problem, but look at this
excerpt from RFC 2491 (IPv6 over NBMA Networks):

   Any Redirect message sent by a router MUST conform to all the
   rules described in [7] so that the packet is properly validated by
   the receiving host.  Specifically, if the target of the resulting
   short-cut is the destination host then the ICMP Target Address
   MUST be the same as the ICMP Destination Address in the original
   message.  If the target of the short-cut is an egress router then
   the ICMP Target Address MUST be a Link Local address of the egress
   router that is unique to the NBMA cloud to which the router's NBMA
   interface is attached.

Could be a config error inside your metwork?

Just a thought.  It doesn't make a lot of sense as an
information-gathering tool.

Cheers,

RGF

Robert G. Ferrell, CISSP
Information Systems Security Officer
National Business Center
U. S. Dept. of the Interior
Robert_G_Ferrell () nbc gov
========================================
 Who goeth without humor goeth unarmed.
========================================

Current thread:

UDP echo packets from 1 dec until present Jose Nazario (Dec 09)
- Re: UDP echo packets from 1 dec until present Crist Clark (Dec 11)
- Re: UDP echo packets from 1 dec until present Sean Brown (Dec 11)
- <Possible follow-ups>
- Re: UDP echo packets from 1 dec until present Robert G. Ferrell (Dec 11)