Security Incidents mailing list archives
Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)
From: woods () MOST WEIRD COM (Greg A. Woods)
Date: Wed, 29 Mar 2000 15:55:22 -0500
[ On Wednesday, March 29, 2000 at 11:09:31 (+0200), Pavel Kankovsky wrote: ]
Subject: Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) On Sat, 25 Mar 2000, Jeffrey D. Carter wrote:There is one other anomoly in the data below: 4 of the probe clumps include an interleaved series of a remote address and an address in the 169.254.0.0 netblock....169.254.0.0/16 is the netblock of choice for another silly Windows feature called "IP autoconfiguration". Windows pick up a more or less random address from this range and start using it if they fail to get an IP address by DHCP...or when they have a bad day or something.
That's not a "silly MS-Win" feature -- it's a silly, or maybe even
downright stupid and possibly dangerous, feature shared by many DHCP
client implementations, including Mac OS system 8.5 and higher. :-)
It's also called the "LINKLOCAL" network, but so far as I know it's not
yet standardised by the IETF.
It should of course be aggressively filtered at all network borders and
anywhere else such filtering is possible (just as all RFC-1918 addresses
MUST be aggressively filtered). Various documents also advise that NATs
NOT be set up to translate it.
The best overview of this I've found so far is:
http://www.performancecomputing.com/columns/daemons/9907.shtml
The current (as of 2000/03/02) draft reference is:
http://www.ietf.org/internet-drafts/draft-ietf-dhc-ipv4-autoconfig-05.txt
Internet Assigned Numbers Authority (IANA)
(NETBLK-LINKLOCAL)
For use with Link Local Networks
Information Sciences Institute
University of Southern California
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292-6695
Netname: LINKLOCAL
Netblock: 169.254.0.0 - 169.254.255.255
Coordinator:
Internet Assigned Numbers Authority (IANA-ARIN) iana () IANA ORG
(310) 823-9358
Fax- (310) 823-8649
Domain System inverse mapping provided by:
BLACKHOLE.ISI.EDU 128.9.64.26
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: lots of interest in port 109 (POP2), (continued)
- Re: lots of interest in port 109 (POP2) drkn (Mar 14)
- Syn and Fin in different packets together Stuart Staniford-Chen (Mar 21)
- Re: Syn and Fin in different packets together Simple Nomad (Mar 22)
- Re: Syn and Fin in different packets together Granquist, Lamont (Mar 24)
- Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity Jeffrey D. Carter (Mar 25)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Bryan Andersen (Mar 28)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Christoph Schneeberger (Mar 29)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity Bill Pennington (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Pavel Kankovsky (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Joshua Krage (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Greg A. Woods (Mar 29)
- Re: 169.254.x.x Robert Graham (Mar 29)
- Re: 169.254.x.x Pavel Kankovsky (Mar 30)
- Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael Damm (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Robert Graham (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael H. Warfield (Mar 30)
- Re: Cracked by the Brazilians Omachonu Ogali (Mar 30)
- Re: Cracked by the Brazilians Blaise St-Laurent (Mar 30)